Presentation is loading. Please wait.

Presentation is loading. Please wait.

Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus."— Presentation transcript:

1 Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

2 Outline Motivation Revised Definition of Security Protocol Securely Realizing our definition Proof of Security Proactive Security

3 Motivation for better security Hi Bob SignatureHi Bob

4 Motivation for mobility We want Alice to be able to use any computer. No or low trust in the computer used. No key material on the computer used.

5 Outline Motivation Revised Definition of Security Protocol Securely Realizing our definition Proof of Security Proactive Security

6 Definition of Security Using the Universal Composability framework Ideal world: Definition of the security Real world: Our protocol Prove by simulation some equavalense between the two worlds

7 Ideal Functionality for digital signatures Ran Canetti [C05]

8 Intuition behind F SIG The simulator generates keys –This makes F SIG general and not related to the specific algorithms. F SIG is acting like a storage: –Signing: Messages get recorded. –Verification: If the message has been recorded then it is accepted. If the signer (Alices computer) is corrupted everything can be verified.

9 F M-SIG : Revised Edition of F SIG We want the human user “U” to decide if a message should be signed and thereby verified.

10 Outline Motivation Revised Definition of Security Protocol Securely Realizing F M-SIG Proof of Security Proactive Security

11 Idear behind our protocol

12 1’st approach Assume that the adversary at most controls one of {MD,T,S} Use RSA signatures Additive secret share the users private exponent: d = d 1 + d 2 Assume that keys are set up beforehand.

13 2’nd approach Why 2’nd: –We implemented it. –It was a bit slow. Assume that the mobile device has limited computational power (No exponentiation) We want to give privacy back to the user. –This one is easy: RSA signatures already use hashing, so just send the has to the server.

14 mUmU m d MD dSdS K K m pwd m m ok δ MD δ MD = d MD + F K (H(m)) σ MD, H(m), pwd σSσS σ MD = H(m) mod N δ MD σ S = H(m) mod N d S -F K (H(m)) σ = σ MD × σ S mod N = H(m) mod N d MD + F K (H(m)) + d S - F K (H(m))

15 Outline Motivation Revised Definition of Security Protocol Securely Realizing our definition Proof of Security Proactive Security

16 Sketch of security proof Reduction R: If an adversary A can break our protocol, then R can use A to break standard RSA signatures. Given: –a RSA-oracle O, which provide a public key, and will sign message. –an Adversary, that can break the security of our protocol. R produces a signature on a message, never sent to O.

17 Sketch of reduction Flip coin c: –0: Guess A will corrupt S d S = random number mod n Simulate: σ MD from σ, m and d S –Calculate σ S –σ MD = σ × σ S -1 mod n –1: Guess A will corrupt MD or T d MD = random number mod n Simulate: σ S from σ, m and d MD –Calculate δ MD and σ MD –σ S = σ × σ MD -1 mod n If the guess was wrong: “Bad luck”, but only polynomial “bad luck”

18 Outline Motivation Revised Definition of Security Protocol Securely Realizing our definition Proof of Security Proactive Security

19 Proactive security Corrupted parties, can recover Nice property in our protocol. Changes to the protocol: –Assume deletion is possible on MD and S. –Assume all parties are honest during recovery –User U has a Paillier secret key. –The server S has d encrypted under the Paillier public key.

20 Proactive security (Sketch) Recover the computer T: –Make a new password pwd Recover MD or S: –MD and S, deletes d MD and d S –S selects random d S and uses the homomorphic property of Paillier to make an encryption of a new d MD –Send the encryption of d MD to MD.

21 Sketch of security proof We cannot just make a guess, like in the non-proactive case. –Not a polynomial reduction Solution: Rewind A –But: m, that A can sign by itself may have been send to O before rewinding. Solution: A is polynomial => m would be send to O at polynomial time after a rewind, and A would be rewinded in this particular run. Try to guess and rewind before m would have been send to O Similar to proof by [ADN06] Tighter reduction is possible, requires more complex protocol.

22 Conclusion etc. We proposed a revised definition of security for digital signatures We proposed a proactive protocol in this revised security definition. Part of the ITSCI project. Prototype.

Download ppt "Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus."

Similar presentations

The Diffie-Hellman Algorithm

The Diffie-Hellman Algorithm
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Jens Groth BRICS, University of Aarhus Cryptomathic

Jens Groth BRICS, University of Aarhus Cryptomathic
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.
Attacks on Digital Signature Algorithm: RSA

Attacks on Digital Signature Algorithm: RSA
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Digital Signature Algorithm (DSA) Kenan Gençol presented in the course BIL617 Cryptology instructed by Asst.Prof.Dr. Nuray AT Department of Computer Engineering,

Digital Signature Algorithm (DSA) Kenan Gençol presented in the course BIL617 Cryptology instructed by Asst.Prof.Dr. Nuray AT Department of Computer Engineering,
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.

ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.
Optimistic Synchronous Multi-Party Contract Signing N. Asokan, Baum-Waidner, M. Schunter, M. Waidner Presented By Uday Nayak Advisor: Chris Lynch.

Optimistic Synchronous Multi-Party Contract Signing N. Asokan, Baum-Waidner, M. Schunter, M. Waidner Presented By Uday Nayak Advisor: Chris Lynch.

Similar presentations

Ads by Google