Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures Tal Malkin (Columbia Univ.) Satoshi Obana (NEC and Columbia Univ.)

Published byMillicent Baker Modified over 8 years ago

Similar presentations

Presentation on theme: "The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures Tal Malkin (Columbia Univ.) Satoshi Obana (NEC and Columbia Univ.)"— Presentation transcript:

1 The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures Tal Malkin (Columbia Univ.) Satoshi Obana (NEC and Columbia Univ.) Moti Yung (Columbia Univ.)

2 Outline of the Talk Brief Overview of Key Evolving Signatures –Forward-Secure Signatures (FS) –Key-Insulated Signatures (KI) –Intrusion-Resilient Signatures (IR) Security Hierarchy of Key Evolving Sigs. IR KI FS Formal Definition of Proxy Signatures Characterization of Proxy Signatures Proxy KI

3 The Hierarchy of Key Evolving Signatures

4 Key Evolving Signatures Localize damage of secret key exposure –Splitting time into periods: 0,1,…,T –Updating secret (signing) key for each period without changing public (verification) key Several models exist (for different settings and different security goals) –Forward-Secure Signatures (FS) [And97,BM99] –Key-Insulated Signatures (KI) [DKXY02] –Intrusion-Resilient Signatures (IR) [IR02]

5 SK 0 SK j-1 Signer Forward-Secure Signatures Gen 1 k,T UpdSign PK SK j-1 SK j M Vrfy Accept Reject

6 Security of FS Signature The adversary has access to –The signing oracle O sig (M,i) outputs the valid signature for the message M in the time period i –The key exposure oracle O sec (“s”, j) outputs the secret key SK j of the time period j The adversary successfully breaks the scheme if it outputs (M, ) s.t. – (M,i) is never queried to the signing oracle – (“s”, i ’ ) is never queried to the key exposure oracle such that i ’ < i

7 SK 0 SK i Key-Insulated Signatures Signer Gen 1 k,T Upd SK i SK j SK * Base Upd* PK Sign Vrfy M Securely protected SK ’ i,j i, j KI possesses random access key capability

8 Security of KI Signature The adversary has access to –The signing oracle O sig (M,i) outputs the valid signature for the message M in the time period i –The key exposure oracle O sec (“s”, j) outputs the secret key SK j of the time period j The adversary successfully breaks the scheme if it outputs (M, ) s.t. –(M,i) is never queried to the signing oracle –(“s”,i) is never queried to the key exposure oracle

9 SKS 0.0 SKB 0.0 SKB (j-1).r SKS (j-1).r Intrusion-Resilient Signatures Signer Gen 1 k,T Upd Sign SKS j.r Vrfy Base Upd* PK Refr*Refr SKR j.r SKB j.r NOT protected SKS (j-1).r SKB (j-1).r SKU j-1 SKB j.0 SKS j.0 SKB j.r SKS j.r SKB j.(r+1) SKS j.(r+1) SKS j.r SKB j.r M

10 Security of IR Signature The adversary has access to –The signing oracle O sig (M,i.r) outputs Sign (SKS i,r, M) –The key exposure oracle O sec ( query ) outputs SKS j,r if query =(“s”, j.r) SKB j.r if query =(“b”, j.r) SKU j and SKR j+1.0 if query =(“u”, j) SKR j.r if query =(“r”, j.r) The adversary successfully breaks the scheme if it outputs (M, ) s.t. – (M,i) is never queried to the signing oracle – SKS i,r is not exposed by the oracle calls – No SKS i ’.r ’ and SKB i ’.r ’ are exposed by the oracle calls for any i ’ <i

11 Question: Are there any relations among these “similar” models? Answer: Security hierarchy exists among these models! IR KI FS Further, all the security reductions are tight (via concrete security analysis) Yes!

12 Theorem (IR KI) We can construct KI from IR in such a way that if there exists adversary which breaks KI (constructed from IR) then we can construct adversary which breaks IR where : running time of the adversary : success probability of the adversary : number of queries to signing oracle : number of queries to key exposure oracle

13 Constructing KI from IR ( Gen ) Signer Gen 1k1k UpdSign Vrfy Base Upd* Gen(IR) 1k1k SKB 0.0 SKS 0.0 PK Refr(IR)Refr*(IR) SK * = SK 0 = SKS 0.1 PK = PK(IR)

14 SKB 0.1 SKS 0.1 SKB 1.0 SKS 1.0 SKS 1.1 Constructing KI from IR ( Upd* ) Signer UpdSign SK i Base Refr*(IR) SK * = Refr(IR) Upd(IR)Upd*(IR) Upd* i, j SK ’ i,j =SKS j.1 SKS 2.0 SKS 2.1 SKS 3.0 SKS 3.1 SKS j.0 SKS j.1 SKB 1.1 SKB 2.0 SKB 2.1 SKB 3.0 SKB 3.1 SKB j.0 SKB j.1 Random access to the key can be achieved

15 Constructing KI from IR (cont’d) Base Upd SK * Signer SK i = SKS i.1 UpdSignVrfy SK ’ i,j =SKS j.1 Sign(IR) Vrfy(IR) PK = PK(IR) M Accept Reject SK j = SKS j.1

16 Constructing Oracles Oracles for KI can be also constructed from oracles for IR as follows –O sig (M, j) = O sig (M, j.1) –O sec (“s”, j) = O sec (“s”, j.1) It is easy to see if the adversary successfully breaks KI then the adversary also breaks IR with the same output.

17 Other relations KI IR: IR can be constructed from KI by sharing signer keys of KI between the signer and the base of IR IR FS: Straightforward (All the algorithms of the signer and the base are put into the signer of FS) Both reductions are tight (in the sense of no security loss in the reductions)

18 A Characterization of Proxy Signatures

19 Proxy Signatures Method of giving (partial) signing right of an entity (delegator) to the others (proxy signer) A lot of schemes have been proposed so far but a few of them are proven to be secure No formal model exists (except [BPW03] which gives a formal model for one-level delegation)

20 Our Results on Proxy Signatures Formal model for “fully hierarchical” proxy signature (based on [BPW03]) Characterization of proxy signatures via key evolving signature: Proxy KI

21 Model of Proxy Signatures Proxy Signer Gen 1k1k PSig Sign Vrfy Delegator Dlg D Dlg P SK D PK D PVrf M sig accept reject w SKP D>P W M ps accept reject SK P PK P

22 Multi-Level Delegation Proxy Signer PSig Delegator Dlg D Dlg P SK P PK P w D>P SKP I>D>P W I>D>P SKP I>D W I>D If the delegator wants to delegate the signing right which she is delegated from others PK

23 Self Delegation Proxy SignerDelegator Dlg D Dlg P SK D PK D w D>P If the delegator wants to delegate the signing right to herself (possibly to an insecure device) SK D Secret key of the delegator is not inputted in the case of self delegation

24 Security def. of Proxy Signatures The adversary has access to –Signing Oracle O sig –Key exposure Oracle O sec –Delegation Oracle O Dlg interacts with the adversary on behalf of Dlg D or Dlg P Proxy signature is secure if the adversary cannot forge a proxy signature (non-proxy signature) when the adversary cannot compute the proxy signing key and the warrant (signing key) through the queries to the oracles

25 Proxy Sigs. and Key Evolving Sigs. Some similarities exist –Localize the damage of key exposure –Prevent non-delegated users (who knows its signing key) from forging the proxy signature –Key is evolved for “each time period” –Proxy signing key is generated for “each delegation” Characterization of Proxy Signatures via Key Evolving Signatures (Equivalence between KI and Proxy)

26 Theorem (Proxy KI) We can construct KI from Proxy in such a way that if there exists adversary which breaks KI (constructed from Proxy) then we can construct adversary which breaks Proxy s.t. where : running time of the adversary : success probability of the adversary : number of queries to oracle A

27 Theorem (KI Proxy) We can construct Proxy (with n delegator and the number of self delegation is limited to c ) from KI in such a way that if there exists adversary which breaks Proxy (constructed from KI) then we can construct adversary which breaks KI s.t.

28 Conclusion Security Hierarchy of Key Evolving Signatures. IR KI FS Formal Definition of Fully Hierarchical Proxy Signatures Characterization of Proxy Signatures Proxy KI

29 Thank you!

30 Difference among the models Base Key Evolution Security FS sequentialPast signatures are protected KI Secure Random access is possible Signatures of all the uncorrupted time periods are protected IR Insecuresequential Signatures of all the uncorrupted time periods are protected Forward Security can be assured even if signer key and base key are corrupted simultaneously

Download ppt "The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures Tal Malkin (Columbia Univ.) Satoshi Obana (NEC and Columbia Univ.)"

Similar presentations

Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.

Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.
1 9 4 5 1 8 8 6 E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April. 30. 2003 Seo, Seung-Hyun Dept. of Computer Science and.

E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April Seo, Seung-Hyun Dept. of Computer Science and.
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written.

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written.
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
1 Efficient Self-Healing Group Key Distribution with Revocation Capability by Donggang Liu, Peng Ning, Kun Sun Presented by Haihui Huang

1 Efficient Self-Healing Group Key Distribution with Revocation Capability by Donggang Liu, Peng Ning, Kun Sun Presented by Haihui Huang
BY JYH-HAW YEH COMPUTER SCIENCE DEPT. BOISE STATE UNIVERSITY Proxy Credential Forgery Attack to Two Proxy Signcryption Schemes.

BY JYH-HAW YEH COMPUTER SCIENCE DEPT. BOISE STATE UNIVERSITY Proxy Credential Forgery Attack to Two Proxy Signcryption Schemes.
Hybrid Signcryption with Insider Security Alexander W. Dent.

Hybrid Signcryption with Insider Security Alexander W. Dent.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)

TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)
1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.

1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.
1 An Efficient Strong Key-Insulated Signature Scheme and Its Application 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake.

1 An Efficient Strong Key-Insulated Signature Scheme and Its Application 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake.
Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.

Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Chapter 7-1 Signature Schemes.

Chapter 7-1 Signature Schemes.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
1 CPSC156: The Internet Co-Evolution of Technology and Society Lectures 19,20, and 21: April 5, 10, and 12, 2007 Cryptographic Primitives.

1 CPSC156: The Internet Co-Evolution of Technology and Society Lectures 19,20, and 21: April 5, 10, and 12, 2007 Cryptographic Primitives.

Similar presentations

Ads by Google