a robust identity-based signature scheme that avoids key...

A Robust Identity-Based Signature Scheme

that Avoids Key Escrow Problem

Jaydip Sen

Senior Scientist

Innovation Labs, Tata Consultancy Services, Kolkata, India

Email: [email protected]

6th ETSI Security Workshop

19 – 20 January 2011- ETSI, Sophia Antipolis, France

6th ETSI Security Workshop Jan 19 - 20, 2011, France

Agenda

• Overview of the work

• Identity-Based Cryptography

• The Contribution of the Proposed Scheme

• Security model of the escrow-free identity-based signature scheme

• User public key anonymity

• Conclusion


Overview of the Work

• The proposed scheme is based on an identity-based cryptosystem that can

authenticate a user by merely using an identity string as the public key of the

user.

• Each signer has his own public key and secret key. The private key generator

generates the identity-based secret key for the signer with respect to the user

public key. The signer uses both secret keys to sign a message.

• Unlike the current scheme, the verification protocols of the existing schemes

like certificate-based signatures (CBS), certificate-less signatures (CLS) and

self-certificated signatures (SCS) require signer’s pubic key to be verified.

• The proposed scheme also achieves highest level of trust as per Girault

model of trust.

• In addition to solving the key escrow problem, the proposed scheme also

achieves anonymity of the user public key.


Identity-Based Cryptography (1)

• Identity-based cryptography � introduced by Shamir

– Authentication of a public key by merely using an identity string as the public key

– No necessity to ensure the validity of the public key

• A series of identity-based schemes (IBS) current exist:

– Identity-based signatures

– Identity-based encryption

– Hierarchical identity-based cryptography

• In IBSs, there is a trusted party called private key generator (PKG) which generates the secret key for all users.

– Full trust must be placed on the PKG

– A malicious PKG can sell users’ keys, sign messages or decrypt cipher-texts on behalf of users without being confronted in a court of law � Key Escrow Problem.


Identity-Based Cryptography (2)

• Girault has defined three levels of trust to the PKG:

– Level 1 � PKG computes users’ secret keys and, therefore, can impersonate any

user without being detected. Example: Identity-based signature schemes.

– Level 2 � PKG cannot compute users’ secret keys. However, PKG can still

impersonate any user without being detected. Example: Certificate-less schemes.

– Level 3 � PKG cannot compute users’ secret keys and PKG cannot impersonate

any user without being detected. Example: Certificate-based signature schemes

and self-certificated schemes.

• The existing schemes that achieve level 2 or level 3 of trust are not identity-based. It is

an open problem to construct an identity-based signatures with level 2 or level 3 of trust

without publishing the user public key.


The Contribution

• The concept of escrow-free identity-based signature is introduced to reduce the trust in the PKG.

• Each signer has his own public key and secret key.

• PKG generates the identity-based secret key for the signer with respect to the user public key.

• The signer uses both the secret keys to sign a message. Hence, the signer is protected against a malicious PKG.

• To verify the signature, it only requires the signer’s identity and the message. In the other schemes (CBS, CLS, SCS), the verification protocols require the signer’s public key to verify.

• The scheme achieves level 3 of trust, which is the highest level of trust that can be achieved.


Security Model for the Identity-Based Signature Scheme (1)

• An escrow-free identity-based signature scheme has six polynomial-time algorithms:

• Setup: On input a security parameter 1k, it generates the system parameter param, the master secret key msk and the master public key mpk.

• UserKeyGen: On input the system parameter param, the user generates the user secret key uskand the user public key upk.

• Extract: This is an interactive algorithm between the PKG and the user. The common input are param, upk, and an identity ID. The PKG’s algorithm Extractp private input is msk. The user’s algorithm Extractu private input is usk. The interaction includes the user giving the PKG a joining proof Pf which shows the user’s participation with respect to upk. The user obtains the identity-based secret key skID, upk with respect to the identity ID and the user public key upk.

• Sign: On input param, usk, skID, upk and a message m, the user with identity ID generates a signature σ.

• Verify: On input param, mpk, ID, m and σ, it returns 1 or 0 for accept or reject respectively.

• Blame: This is an interactive algorithm between the PKG, the user and the judge. The common inputs are param, mpk, ID, upk, m and σ. The user’s algorithm Blameu with private input usk sends a blame request φ to a judge. The judge’s algorithm Blamej output “PKG” if:

– Φ shows that σ is related to upk and the PKG’s algorithm Blamep, with private input msk, fails to provide a public key upk’, a joining proof Pf and a transcript ρ, such that (i) upk’ is related to σ, (ii) Pf shows the user’s participation with respect to upk’, and ρ is the transcript of the extract algorithm witb upk’.

– Otherwise, the judge outputs “upk”.


Security Model for the Identity-Based Signature Scheme (2)

• Four entities are involved in the scheme:

– Users

– The PKG

– The judge

– Trusted Third Party (TTP) who certifies the joining proof Pf

• It is assumed that the PKG and the TTP do not collude. Otherwise, the malicious PKG

can sign a message with respect to upk and the TTP can provide a fake joining proof Pf

and the malicious PKG is not caught by the Blame algorithm.

• Also, it is assumed that the user and the TTP cannot collude. Otherwise, a malicious

user can sign a message using his identity-based secret key and the TTP can

intentionally disapprove the joining proof Pf. As a result, a malicious user cannot be

caught by the Blame algorithm.

• Although the signature is signed using usk and an identity-based secret key bound with

upk, the verification of may not need upk. Similar to the standard identity-based

signatures, the verification of only requires the identity ID.


User Public Key Anonymity (1)

• In the escrow-free IBS scheme, the user public key is included in the signature.

• In some applications, it may not be desirable to let the verifier know the user public key:

– Example: A student has a long-term user public key. He may apply for an identity-

based secret key for his student ID from the university. He may also apply for an

identity-based secret key for his email address from the Internet service provider.

When a user uses escrow-free IBS he may not want the signatures from two

different identities to be linked to the same public key.

• In order to construct an escrow-free IBS scheme which is fully identity-based, a

signature is required that contains any information about the user public key. This

additional property is called user public key anonymity.


User Public Key Anonymity (2)

• The security model for user public key anonymity captures the attack that wants to distinguish if a signature is signed by an honest user with a user public key upk.

• The attacker is given the master secret key, but cannot query any join oracle. In other words, the attacker can retrieve the master secret key from the real PKG, but not the join transcript from the real PKG.

• The users joining the real PKG will have anonymity even if the master secret key is stolen.

• The following game is designed for anonymity:

– The simulator S gives param, a master public key mpk, a master secret key msk, two user public keys upk0, upk1 to the adversary A.

– A is allowed to query the oracle adaptively: Signing Oracle SO(m, ID, b): it returns a valid signature σ for the message m and the identity ID with respect to upkb.

– A sends a message m* and an identity ID* to S. S picks a random bit and computes σ* Sign(param, usk, skID*, m), where skID* is the identity-based secret key computed using (msk, upk, ID*) and usk is the user secret key for upk. B sends σ* to A.

– A is allowed to query the above oracles adaptively.

– A returns a bit b*.

– A wins the game if = b*. We must require that there is no query of the form SO(m*, ID*, .).

• An identity-based signature scheme is (ε, t, qs) –secure against anonymity if there is no t time adversary winning the game with probability at least with queries to SO.


Conclusion

• An identity-based signature scheme is presented that has two novelties:

– It introduces the concept of identity-based cryptosystem fro generation of the secret key of a user from its public key, and overcomes the well-known key escrow problem in the traditional identity-based systems.

– It also achieves public key anonymity since its uses identity to verify a signature, and it is possible for the signature to be anonymous with respect to the user public key.

• The proposed IBS achieves level 3 of trust to the PKG, which is the highest level of trust of the model proposed by Girault. It is more secure than CBS, CLS, and SCS since the user public key is not involved and its not sent to the verifier.

• While overcoming the problem of key escrow in the traditional identity-based schemes, the scheme does not need multiple PKGs to be deployed so that no extra infrastructure and communication cost is introduced between the users and different PKGs.

• It is the only identity-based signature scheme that achieves user public key anonymity. Certificate-less signature, certificate-based signatures and self-certificated signatures schemes resolve the key escrow problem but they are not identity-based scheme and user public key is used as public information.

• The scheme is applicable in any real world client-server or peer-to-peer systems including light-weight power-constrained mobile and hand-held devices where secure authentication and message confidentiality are two prime requirements.


References

1. A. Shamir, “Identity-based cryptosystems and signature schemes”. In CRYPTO’84, Vol. 196, LNCS, pp. 47 – 53, Springer, 1984.

2. D. Boneh and M.K. Franklin, “identity-based encryption from the weil pairing”. In ASIACRYPT 2001, Vol., 2139, LNCS, pp. 213 – 229, Springer, 2004.

3. C. Gentry and A. Silverberg, “Hierarchical ID-based cryptography”. In ASIACRYPT 2002, Vol. 2501, LNCS, pp. 548 – 566, Springer, 2002.

4. M. Bellare, C. Nameprempre, and G. Neven, “Security proofs for identity-based identification and signature schemes”. In EUROCRYPT 2004, Vol. 3027, LNCS, pp. 268 – 286, Springer 2004.

5. D. Galindo, J. Herranz, and E. Kiltz, “On the generic construction of identity-based signatures with additional properties”. In ASIACRYPT 2006, Vol. 4284, LNCS, pp. 178 – 193, Springer 2006.

6. S. S. Al-Riyami and K.G. Paterson, “Certificate-less public key cryptography”. In ASIACRYPT 2003, Vol. 2894, LNCS, pp. 452-473, Springer 2003.

7. C. Gentry. “Certificate-based encryption and certificate revocation problem”. In EUROCRYPT 2003, Vol. 2656, LNCS, pp. 272 – 293, Springer, 2003.

8. M. Girault. “Self-certified public keys”. In EUROCRYPT ’91, Vol. 547, LNCS, pp. 490 – 497, Springer, 1991.

9. V. Goyal. “Reducing trust in the PKG in Identity based Cryptosystems”. In CRYPTO 2007, Vol. 4622, LNCS, pp. 430 – 447, Springer, 2007

10. M.H. Au, Q. Huang, J. K. Liu, W. Susilo, D.S. Wong, and G. Yang. “Traceable and retrievable identity-based encryption’. In ACNS 2008, Vol. 5037, LNCS, pp. 94 – 110, 2008.

11. V. Goyal, S. Lu, A. Sahai, and B. Waters. “Black-box accountable authority identity-based encryption.” In CCS 2008, pp. 427 – 436, ACM, 2008.

12. A.P. Sui, S.S.M. Chow, L.C.K. Hui, S.;M. Yiu, K.P. Chow, W.W. Tsang, C.F. Chong, K.K.H. Pun, and H.W. Chan. “Separable and anonymous identity-based key issuing”. In ICPADS 2005, pp. 275 – 279, IEEE Computer Society, 2005.

13. M. Bellare, A. Boldyreva, A. Desai, and D. Pointcheval. “Key-privacy in public-key encryption. In ASICRYPT 2001, Vol. 2248, LNCS, pp. 566 – 582, Springer, 2001.

14. B.G. Kang, J.H. Park, and S.G. Hahn. “A certifcate-based signature scheme”. In CT-RSA 2004, Vol. 2964, LNCS, pp. 99 – 111, Springer, 2004.

15. US Patent: “Identity and signature verification system”. Application No. 11/148,710, Publication No. US 2006/0291699 A1, Filing date: Jun 8, 2005.

16. US Patent: “ID-based signature, encryption system and encryption method.” Application No: 11/048, 863, Patent No. 7711113, Filing date: Feb 3, 2005, Issue date: May 4, 2010.

17. US Patent: “Efficient hybrid public key signature scheme”. Application no. 9/307,493, Filing date: May 7, 1999, Issue date: mar 2, 2004, Patent no. 6701434.

18. US Patent: “Apparatus and method for demonstrating and confirming the status of digital certificates and other data.” Application No. 10/106,869, Publication no. US 2002/0188843 A1, Filing date: Mar 25, 2002.

19. US Patent: “Public key encryption with digital signature scheme”. Patent No. 7707420, Filing Date: Jun 15, 2000, Issue Date: Apr 27, 2010, Application No. 9/594,368.

20. US Patent: “Generating digital signatures using ephemeral cryptographic key”. Patent No. 7693277, Filing Date: Aug 8, 2005, Issue Date: Apr 6, 2010, Application No. 11/161,564

a robust identity-based signature scheme that avoids key...

Documents