Elsevier

Information Sciences

Volumes 442–443, May 2018, Pages 158-172
Information Sciences

Intrusion-resilient identity-based signatures: Concrete scheme in the standard model and generic construction

https://doi.org/10.1016/j.ins.2018.02.045Get rights and content

Abstract

Key exposure problem is a very serious problem for identity-based signatures. Once the secret key is exposed in identity-based signatures, all signatures generated from this secret key will become insecure. To mitigate this serious damage, the intrusion-resilient mechanism has been introduced into identity-based signatures. However, all existing schemes can only be proven secure in random oracles. As we know, security proofs in random oracles do not always imply the security of actual schemes in the real world. In order to deal with this problem, in this paper, we propose the first intrusion-resilient identity-based signature (IRIBS) scheme that can be proven secure in the standard model. In the proposed scheme, the homomorphic structure in the key update is employed to refresh secret keys in one time period. It makes the scheme achieve the intrusion resilience when key exposure happens. In addition, we also provide the first solution for how to generically construct IRIBS schemes. We make use of the separable structure between the user's key material used for updating and that used for the actual signing. As a result, our solution can produce IRIBS schemes from forward-secure identity-based signature (FSIBS) schemes with a special property. This contribution will also simplify the future designs of IRIBS schemes and FSIBS schemes.

Introduction

Key exposure threatens the security of digital signatures greatly. Once a secret key is exposed, all signatures signed with this secret key are untrustworthy. Keeping secret keys absolutely secure is nearly impossible in the modern age of ubiquitous computing with the more and more use of mobile and unprotected devices. An adversary may not select to break actual cryptographic assumptions but choose to break into users private storage to get secret keys. Therefore, how to diminish the damage of key exposure for digital signatures is an important problem.

Forward-secure signatures can preserve the validity of past signatures even if the current secret key is exposed. In a forward-secure signature scheme, the total time is divided into discrete time periods. The secret keys used to sign messages are different in different time periods. At the end of each time period, the current secret key is used to generate the new secret key of the next time period by an update function. But the public key is fixed during the whole time. The time period becomes a part of the signature when a message is signed. As a result, an intruder cannot forge any signature for a previous time period even if the current secret key is compromised. Bellare and Miner [3] firstly formalized the definition of forward-secure signatures and proposed practical schemes following the idea of Anderson [2]. So far, many forward-secure signature schemes with different merits have been presented such as [1], [5], [6], [11], [14], [15], [23]. However, forward-secure signatures cannot preserve the validity of signatures after the time period of key exposure. In order to resolve this problem, the key-insulated signature was proposed [7], [28]. In this primitive, there are two modules, a user and a base. The user generates signatures with its secret keys and updates its secret keys with the help of the base in each time period. The base is a trusted device with very strong security. Even if an intruder gets the current user's key, it cannot forge signatures before and after the period of key exposure as long as the base is secure. Forward-secure signature and key-insulated signature have been applied to cloud storage auditing to check the integrity of cloud data [24], [25], [27].

Compared with forward-secure signatures and key-insulated signatures, intrusion-resilient signatures [12], [13] have a higher level of security. Like key-insulated signatures, the user can generate signatures on its own, and key update needs the help of the base in intrusion-resilient signatures. Different from key-insulated signatures, the secret keys of the user and the base are refreshed many times in one period in intrusion-resilient signatures. Refresh is completely transparent to the verifier. The verifier only needs to know the current time period, but does not need to know how many refresh operations have occurred in this time period. Refresh operations can greatly enhance the security of signatures. As a result, the intruder is unable to forge signatures of other periods even after arbitrarily many compromises of the base and the user, as long as these compromises do not happen at the same time. Furthermore, the intruder cannot forge signatures of previous time periods, even if it compromises the base and the user at the same time.

The concept of the identity-based signature was firstly proposed by Shamir [16]. In such a scheme, a signer's identity is used as a public key. Therefore, the verifier can verify the validity of signatures with the signer's identity. Identity-based signature reduces the complexity and the cost of managing the Public Key Infrastructure (PKI). In an identity-based signature scheme, we have to revoke the user's identity and the corresponding secret key and reissue a new identity and a new secret key once the key exposure happens. Unfortunately, the user's identity is not convenient to change, therefore, how to limit the impact of key exposure for identity-based signatures becomes the focus of research.

Forward-secure mechanism, key-insulated mechanism and intrusion-resilient mechanism may be applied to identity-based signatures to limit the impact of key exposure. The definition and security notions of forward-secure identity-based signature (FSIBS) were presented in [21]. Zhou et al. [29] proposed the first key-insulated identity-based signature scheme. But this scheme does not satisfy strong key-insulated security. Weng et al. further re-formalized the definition and security notions of key-insulated identity-based signature schemes and proposed some efficient schemes such as [18], [20]. Intrusion-resilient identity-based signature (IRIBS) scheme has been proposed in [22]. This kind of signatures seems to provide the most security when the user is interested in abandoning identity revocation in the identity-based scenario. IRIBS can be applied in the scenario where it is convenient to provide an additional device to periodically interact with the user. It is very attractive when the security is preferred. The scheme in [22], however, is only proven secure in random oracles. Security proofs in random oracles actually are only heuristic. According to the analysis in [10], behaving absolutely same to random oracles cannot be realized generally. As a result, security proofs in random oracles do not always imply the security of actual schemes in the real world [10]. In recent years, there have been a lot of researches on the cryptographic systems without random oracles such as [8], [9], [17], [26]. Therefore, how to construct an IRIBS scheme without random oracles is a worthwhile task.

The main contributions of this paper are as follows:

  • (1) We construct the first IRIBS scheme proven secure in the standard model. Our construction is based on the frame of the FSIBS scheme in [21], which adopts the structure of the binary tree to associate time periods. We make use of the homomorphic structure in the key update to refresh secret keys in one time period. Thus, this scheme achieves the attractive efficiency from this structure. All the complexities including key setup time, secret key extract time, user(base) key update time, user(base) key refresh time, signing time, verifying time, public parameters size, secret key size, and signature size are upper bounded by O(log2T) in terms of the total number of time periods T.

  • (2) We propose a generic construction of IRIBS schemes. Our generic construction requires FSIBS schemes having separable structure between the user's key material used for updating and that used for the actual signing. It is clear that our concrete IRIBS scheme in this paper and the IRIBS scheme in [22], as only two current IRIBS schemes, have this structure. We believe that this contribution will simplify the future designs of IRIBS schemes and FSIBS schemes.

  • (3) As an additional contribution, we give an indirect security proof of our concrete IRIBS scheme. Our proof method does not directly reduce to a difficult computation problem, but depends on the security of [21]. Such a proof is different from that in [22] because it can simplify the complex simulation in the proof.

We give an application example of our IRIBS scheme, which is similar to the example shown in [12]. Digital signatures have been widely used in on-line authentication. When a user builds an authenticated secure connection to a website, he needs to check the signature of the message from the website. If the identity-based signature is adopted and the secret key of the website is compromised, the identity information will have to be revoked. However, the identity information is not convenient to change in real environments. Our proposed scheme can be applied in this scenario. In this case, the secret key exposure will only affect the authenticity of the website for a very short time. The website will be authentic again once the secret key is updated.

Organization. In the following section, we introduce the preliminaries of our work including cryptographic definitions and assumption, the definition of the intrusion-resilient identity-based signature scheme and its security notions. A concrete description of the proposed scheme is given in Section 3. Section 4 gives the security analysis of the scheme. The further discussion about how to generically construct IRIBS schemes from forward-secure identity-based signature schemes with special property is given in Section 5. Finally, we make a conclusion in Section 6.

Section snippets

Cryptographic definitions and assumption

Groups G1 and G2 are two (multiplicative) cyclic groups with the same prime order p. It means that the order of each generator in the group G1 or group G2 is prime p.

A bilinear map e^:G1×G1G2 satisfies the following properties:

  • 1. Bilinear: For all g1, g2 ∈ G1 and a, b ∈ Zp, there is e^(g1a,g2b)=e^(g1,g2)ab.

  • 2. Non-degenerate: The map does not send all pairs in G1 × G1 to the identity in G2.

  • 3. Computable: There is an efficient algorithm to compute e^(g1,g2) for any g1, g2 ∈ G1.

The security of

High level description

Our construction is based on the forward-secure identity-based signature scheme in [21]. We use the same full binary tree structure with depth l as that in [21] to represent T=2l time periods. Associate each time period with each leaf of the tree from left to right. As a result, the leftmost leaf node is associated with time period 0 and the rightmost leaf node is associated with time period T-1. Each node in the binary tree is labeled with a binary string. Let ɛ denote an empty string, and

Security analysis

In this paper, we adopt an indirect security proof of our concrete IRIBS scheme. Our security proof does not directly reduce to a difficult computation problem, but depends on the security of [21]. The direct security proof can incur too complex simulation. So we adopt this indirect proof technique to reduce the simulation and simplify our security proof. It can make the proof simpler and easily be understood. The security of our proposed IRIBS scheme depends on the security of the FSIBS scheme

A generic construction of IRIBS from FSIBS with special property

We first introduce the homomorphic map, which is a necessary property for dividing update key into two parts to update keys. One part is held by the user, and the other is held by the base.

Conclusion

The intrusion-resilient mechanism can greatly reduce the damage of key exposure for identity-based signatures. In this paper, we give two important results about the intrusion-resilient identity-based signature. Firstly, we present the first intrusion-resilient identity-based signature scheme proven secure in the standard model. And then propose a generic construction of IRIBS schemes from FSIBS schemes with a special property.

Acknowledgements

This research is supported by National Natural Science Foundation of China (61572267, 61272425, 61402245), National Development Foundation of Cryptography (MMJJ20170118, MMJJ20170126), the Open Project of Co-Innovation Center for Information Supply & Assurance Technology, Anhui University, the Open Project of the State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences (2017-MS-21, 2016-MS-23), Jiangsu Key Laboratory of Big Data Security &

References (29)

  • D. Boneh et al.

    Efficient selective-ID secure identity-based encryption without random oracles

  • D. Boneh et al.

    Identity based encryption from the Weil pairing

    Advances in Cryptology-CRYPTO’01

    (2001)
  • X. Boyen et al.

    Forward-secure signatures with untrusted update

  • Y. Dodis et al.

    Strong key-insulated signature scheme

    Advances in Public Key Cryptography-PKC’03

    (2003)
  • Cited by (19)

    • A provably secure and public auditing protocol based on the bell triangle for cloud data

      2021, Computer Networks
      Citation Excerpt :

      Data loss events occur frequently and are considered one of the major security issues of cloud storage. Therefore, cloud data integrity has become a key research in the field of cloud storage security[9]. To address the cloud data integrity issue, some researchers have proposed a cloud data integrity auditing protocol to ensure the integrity of user data [10].

    • Enabling cloud storage auditing with key-exposure resilience under continual key-leakage

      2020, Information Sciences
      Citation Excerpt :

      This protocol makes it possible to detect malicious operations on the client’s cloud data in previous time periods, even if the malicious cloud server were to obtain the client’s current secret key for cloud storage auditing and partial information about the secret keys of previous time periods. Specifically, we employ a binary tree structure [20,21] to update the clients secret keys in different time periods. We apply an existing technique [20] to our continual key-leakage resilient auditing protocol and propose the first auditing protocol with the above-mentioned two security properties.

    • Privacy Protection Method Based On Multidimensional Feature Fusion Under 6G Networks

      2023, IEEE Transactions on Network Science and Engineering
    • sChain: An Efficient and Secure Solution for Improving Blockchain Storage

      2023, IEEE Transactions on Information Forensics and Security
    • Enabling Identity-Based Data Security with Cloud

      2022, Lecture Notes on Data Engineering and Communications Technologies
    View all citing articles on Scopus
    View full text