Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 An Efficient Strong Key-Insulated Signature Scheme and Its Application 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 An Efficient Strong Key-Insulated Signature Scheme and Its Application 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake."— Presentation transcript:

1 1 An Efficient Strong Key-Insulated Signature Scheme and Its Application 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake 1, Goichiro Hanaoka 2, and Kazuto Ogawa 1 1 Japan Broadcasting Corporation 2 National Institute of Advanced Industrial Science and Technology

2 2 Motivation

3 3 Background “Key exposure” is a critical problem !!  Even if a “secure” signature scheme is used, key leakage results in impersonation of the user. more critical for bidirectional broadcasting services !!

4 4 Bidirectional broadcasting service Signed Request Personal information Broadcaster network Smart card User Verification key Signing key e.g. TV shopping, Quiz program, etc. Service property: Real-time service

5 5 Problem for signing key leakage Signed Request Personal information Broadcaster network Smart card User Verification key Signing key key leakage Adversary Signed Request Personal information Key update Critical damage !! Broadcaster =

6 6 Problem for key update in bidirectional broadcasting service PKI cannot be applied directly. Smart card network User 1 User 2 User 3 User n Broadcaster Signing key Verification key CRL Verification key update CA Heavy load !! Real-time service cannot be offered !!

7 7 Solution Strong key-insulated signature (KIS) scheme Smart card network User 1 User 2 User 3 User n Broadcaster Verification key Signing key update Verification key does NOT have to be updated. No CRL!! No redistribution of verification key !!

8 8 Motivation In bidirectional broadcasting service, …  Signature size is required as short as possible Multiple copies of signed message are individually transmitted to users.  Conventional strong KIS scheme not efficient !! Our target Design an efficient strong KIS scheme with a significantly short signature size

9 9 Related works

10 10 Adversary Key-insulated signature (KIS) scheme Proposed by Dodis, Katz, Xu, Yung in 2003 [DKXY03] master key [DKXY03] Y. Dodis, J. Katz, S. Xu, and M. Yung : “Strong Key-Insulated Signature Schemes,'‘ Proc. of PKC’03. (2003) Signer Verifier message + signature with time stamp old signing key update signing key time stamp partial key verification key verify signature reject secure against signing key leakage secure device

11 11 Adversary Strong KIS scheme Proposed by Dodis, Katz, Xu, Yung in 2003 [DKXY03] master key [DKXY03] Y. Dodis, J. Katz, S. Xu, and M. Yung : “Strong Key-Insulated Signature Schemes,'‘ Proc. of PKC’03. (2003) message + signature with time stamp old signing key update signing key time stamp partial key verification key verify signature secure device reject secure against signing key leakage or master key leakage Signer Verifier

12 12 Our contribution

13 13 Performance CB schemeGQ schemeOur scheme Verification key size (bits)3201024160 Signature size (bits)11201184480 Computational cost (signing)7201776240 Computational cost (verification)14401776720 Security assumptionDLRSADL CB scheme: Certificate-based strong KIS scheme using the Schnorr signatures GQ scheme: strong KIS scheme based on the Guillou-Quisquater signature

14 14 Security Our strong KIS scheme is secure  We achieved the same level of security as conventional strong KIS schemes. Adversary master key leakage valid signing key leakage or Signer

15 15 Our construction

16 16 Basic concept of our KIS scheme Efficient strong KIS scheme  By extending Abe-Okamoto proxy signature scheme [AO02] Efficient proxy signature scheme in terms of verification cost and communication cost [AO02] M.Abe and T.Okamoto : “Delegation Chains Secure up to Constant Length,'‘ IEICE Trans. (2002) Constructing an efficient strong KIS scheme from the Abe-Okamoto scheme is not a trivial exercise.

17 17 Why is it not a trivial exercise? (1) Extend the KIS scheme to a strong KIS scheme without increasing the signature size.  Conversion of proxy signature scheme to KIS scheme Proposed by Malkin, Obana, Yung in 2004. [MOY04] The resulting KIS scheme is not a strong KIS scheme.  Conversion of (standard) KIS scheme to strong KIS scheme Proposed by Dodis, Katz, Xu, Yung in 2003. [DKXY03] Employs double signing: a signature with the master key and a signature with the signer’s secret key not efficient We must construct a scheme without the above conversions. [MOY04] T. Malkin, S. Obana, and M. Yung : “The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures,'‘ Proc. of Eurocrypt’04,. (2004)

18 18 Why is it not a trivial exercise? (2) Extend the Abe-Okamoto scheme to a KIS scheme that provides adaptive security  Not taken into consideration in the security definition of [AO02] We must address adaptive security with a formal security proof from scratch.

19 19 Our proposed KIS scheme (1) Secure device Signer master key: verification key: Gen: key generation algorithm essential secret info.

20 20 Our proposed KIS scheme (2) Upd * : partial key generation algorithm Upd: key-update algorithm ? Secure device Signer time stamp signing key for a time period T master keypartial key Verifying partial key Upd* Upd

21 21 Our proposed KIS scheme (3) Sign: signing algorithm Vrfy: verifying algorithm ? Signer Verifier signing key Verifying signature verification key Sign Vrfy time stamp

22 22 Remarkable properties of our scheme A signer can update their signing key without updating verification key. The signature size of our scheme is significantly short : 480 bits

23 23 Another feature of our scheme Partial key verification  The signer can verify whether the partial key transmitted from the secure device is valid. If the secure device storing the master key is completely reliable, …  Partial key verification is unnecessary during the signing key update.  One of the verification keys can be, instead of and. Verification key size can be reduced by half.

24 24 Security Analysis

25 25 Basic concept of Security definition (1) KIS scheme Adversary valid signing key Broadcaster

26 26 Basic concept of Security definition (2) Strong KIS scheme Adversary valid master key Broadcaster

27 27 Security definition of KIS scheme Adversary A Signing oracle Forged signature Random oracle Key exposure oracle Success probability of signature forgery Security definition of KIS scheme k : security parameter N : total number of time periods A is allowed to submit a query to the key exposure oracle up to t times. If is negligible, is (t,N)- key-insulated. If is (N-1,N)-key-insulated, is perfectly key-insulated.

28 28 Security definition of strong KIS scheme Adversary B Signing oracle Forged signature Random oracle Success probability of signature forgery Security definition of strong KIS scheme k : security parameter N : total number of time periods If is negligible, is strong (t,N)-key-insulated. If is strong (N-1,N)-key-insulated, is perfectly strong key-insulated. master key

29 29 Overview of security proof Step1: modified Schnorr signature scheme EUF-ACMA secure under DL assumption Step2: our scheme key-insulated if the modified Schnorr signature scheme is EUF-ACMA secure. Step3: our scheme strong key-insulated if our scheme is key- insulated. Our scheme is strong key-insulated under DL assumption

30 30 Application

31 31 Bidirectional content distribution system (proposed by Ohtake, Hanaoka, Ogawa in 2006) Network Broadcaster User Content server Personal information management server Key management server master key Smart card Terminal Generate master key verification key initial signing key Update signing key Generate partial key Verify signature Create signature Our KIS scheme can be applicable.

32 32 Improved system based on our scheme network Content server Personal information management server Key management server Smart card PK Terminal master key x 0 x’x’ Reduced damage due to master key leakage - Even if the master key x 0 is leaked, the signing key cannot be updated without x’. Efficient verification - Verification key size: 160 bits - Suitable for a smart card Efficient signing - Signature size: 480 bits - Reduce the network cost for transmitting signed messages Broadcaster User

33 33 Summary

34 34 Summary Efficient strong KIS scheme  Significantly short signature size: 480 bits  Provably secure under DL assumption The most suitable signature scheme for bidirectional broadcasting services

35 35 Thank you for your attention !!

Download ppt "1 An Efficient Strong Key-Insulated Signature Scheme and Its Application 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake."

Similar presentations

1 9 4 5 1 8 8 6 E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April. 30. 2003 Seo, Seung-Hyun Dept. of Computer Science and.

E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April Seo, Seung-Hyun Dept. of Computer Science and.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Efficient Signature Generation by Smart Cards 20103112 Suk Ki Kim 20103114 Sunyeong Kim.

Efficient Signature Generation by Smart Cards Suk Ki Kim Sunyeong Kim.
LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU 20082065 Myunghan Yoo.

LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU Myunghan Yoo.
Network Security Term Project 2002 Fall Network Security Chul Joon Choi 2002. 10.08 Prof. Kwang jo Kim Network Security Term Project (2002 Fall) 발표자 :

Network Security Term Project 2002 Fall Network Security Chul Joon Choi Prof. Kwang jo Kim Network Security Term Project (2002 Fall) 발표자 :
Implementation of LSI for Privacy Enhancing Computation Kazue Sako, Sumio Morioka 2011.2.10

Implementation of LSI for Privacy Enhancing Computation Kazue Sako, Sumio Morioka
Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.

Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Ring Signatures of Sub- linear Size without Random Oracles Nishanth Chandran Jens Groth Amit Sahai University of California Los Angeles TexPoint fonts.

Ring Signatures of Sub- linear Size without Random Oracles Nishanth Chandran Jens Groth Amit Sahai University of California Los Angeles TexPoint fonts.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Unlinkable Secret Handshakes and Key-Private Group Key Management Schemes Author: Stanislaw Jarecki and Xiaomin Liu University of California, Irvine From:

Unlinkable Secret Handshakes and Key-Private Group Key Management Schemes Author: Stanislaw Jarecki and Xiaomin Liu University of California, Irvine From:
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Computer Science CSC 774 Adv. Net. SecurityDr. Peng Ning1 CSC 774 Advanced Network Security Topic 4. Broadcast Authentication.

Computer Science CSC 774 Adv. Net. SecurityDr. Peng Ning1 CSC 774 Advanced Network Security Topic 4. Broadcast Authentication.
Computer Science Public Key Management Lecture 5.

Computer Science Public Key Management Lecture 5.
13.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 13 Digital Signature.

13.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 13 Digital Signature.

Similar presentations

Ads by Google