Post on 24-Mar-2023
OutlineProxy Re-signature
Our ContributionOpen Problems
The Security Model of Unidirectional ProxyRe-Signature with Private Re-Signature Key
Jun Shao1,2, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu
1College of Computer and Information Engineering,Zhejiang Gongshang University
2College of Information Sciences and Technology,Pennsylvania State University
2010-07-06ACISP 2010, Sydney
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu The Security Model of Unidirectional Proxy Re-Signature with Private Re-Signature Key
OutlineProxy Re-signature
Our ContributionOpen Problems
Proxy Re-signature
Our ContributionObservation on the AH ModelThe Artificially Designed SchemeThe Improved Security Model
Open Problems
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu The Security Model of Unidirectional Proxy Re-Signature with Private Re-Signature Key
OutlineProxy Re-signature
Our ContributionOpen Problems
Proxy Re-signature
Informally speaking, proxy re-signature (PRS) is such a kind ofsignature where a semi-trusted proxy with some additionalinformation (a.k.a, re-signature key) can transform a signature ofAlice (delegatee) to another signature of Bob (delegator) on thesame message. However, the proxy cannot produce an arbitrarysignature on behalf of either the delegatee or the delegator.
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu The Security Model of Unidirectional Proxy Re-Signature with Private Re-Signature Key
OutlineProxy Re-signature
Our ContributionOpen Problems
Desired Properties
I Unidirectional
I Multi-use
I Private re-signature key
I Transparent
I Key-optimal
I Non-interactive
I Non-transitive
I Temporary
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu The Security Model of Unidirectional Proxy Re-Signature with Private Re-Signature Key
OutlineProxy Re-signature
Our ContributionOpen Problems
Observation on the AH ModelThe Artificially Designed SchemeThe Improved Security Model
Definition for Unidirectional Proxy Re-signature withPrivate Re-signature Key (UPRS-prk)
KeyGen: (pk, sk)← KeyGen(1k).
ReKey: rkA→B ← ReKey(pkA, pkB , skB).
Sign: σ ← Sign(sk ,m, `). ` = 1, owner-type signature;` > 1, non-owner-type signature.
ReSign: σB ← ReSign(rkA→B , pkA,m, σA, `).
Verify: (1 or 0)← Verify(pk,m, σ, `).
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu The Security Model of Unidirectional Proxy Re-Signature with Private Re-Signature Key
OutlineProxy Re-signature
Our ContributionOpen Problems
Observation on the AH ModelThe Artificially Designed SchemeThe Improved Security Model
The AH Model: External Security
No inside attacker
Pr[{(pki , ski )← KeyGen(1k)}i∈[1,n],
(t,m∗, σ∗, `∗)← AOs(·),Ors(·)({pki}i∈[1,n]) :Verify(pkt ,m
∗, σ∗, `∗) = 1 ∧ (t,m∗) 6∈ Q],
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu The Security Model of Unidirectional Proxy Re-Signature with Private Re-Signature Key
OutlineProxy Re-signature
Our ContributionOpen Problems
Observation on the AH ModelThe Artificially Designed SchemeThe Improved Security Model
The AH Model: Limited Proxy
The proxy is the possible inside attacker
Pr[{(pki , ski )← KeyGen(1k)}i∈[1,n],
(t,m∗, σ∗, `∗)← AOs(·),Ork (·)({pki}i∈[1,n]) :Verify(pkt ,m
∗, σ∗, `∗) = 1 ∧ (t,m∗) 6∈ Q],
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu The Security Model of Unidirectional Proxy Re-Signature with Private Re-Signature Key
OutlineProxy Re-signature
Our ContributionOpen Problems
Observation on the AH ModelThe Artificially Designed SchemeThe Improved Security Model
The AH Model: Delegatee Security
The proxy and delegator are the possible inside attacker
Pr[{(pki , ski )← KeyGen(1k)}i∈[0,n],
(m∗, σ∗, `∗)← AOs(·)(pk0, {pki , ski}i∈[1,n]) :Verify(pk0,m
∗, σ∗, `∗) = 1 ∧ (0,m∗) 6∈ Q],
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu The Security Model of Unidirectional Proxy Re-Signature with Private Re-Signature Key
OutlineProxy Re-signature
Our ContributionOpen Problems
Observation on the AH ModelThe Artificially Designed SchemeThe Improved Security Model
The AH Model: Delegator Security
The proxy and delegatee are the possible inside attacker
Pr[{(pki , ski )← KeyGen(1k)}i∈[0,n],
(m∗, σ∗, 1)← AOs(·),Ork (·)(pk0, {pki , ski}i∈[1,n]) :Verify(pk0,m
∗, σ∗, 1) = 1 ∧ (0,m∗) 6∈ Q],
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu The Security Model of Unidirectional Proxy Re-Signature with Private Re-Signature Key
OutlineProxy Re-signature
Our ContributionOpen Problems
Observation on the AH ModelThe Artificially Designed SchemeThe Improved Security Model
Scheme Sus (Based on BLS short signature)
KeyGen: pk = ga and sk = a.
ReKey:
rkA→B = (rk(1)A→B , rk
(2)A→B , rk
(3)A→B) = (r ′, (pkA)r
′,H(g a·r ′ ||2)1/b).
Sign:
I σ = (A,B,C ) = (H(m||0)r , g r ,H(g r ||1)a).I σ = (A,B,C ,D,E ) =
(H(m||0)r1 , g r1 ,H(g r1 ||1)r2 , g r2 ,H(g r2 ||2)1/a).
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu The Security Model of Unidirectional Proxy Re-Signature with Private Re-Signature Key
OutlineProxy Re-signature
Our ContributionOpen Problems
Observation on the AH ModelThe Artificially Designed SchemeThe Improved Security Model
Scheme Sus (Based on BLS short signature)
ReSign:
σ′ = (A′, B ′, C ′, D ′, E ′)
= (A, B, C rk(1)A→B , rk
(2)A→B , rk
(3)A→B)
= (H(m||0)r , g r , H(g r ||1)ar′, (pkA)r
′, H((pkA)r
′ ||2)1/b)= (H(m||0)r1 , g r1 , H(g r1 ||1)r2 , g r2 , H(g r2 ||2)1/b)
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu The Security Model of Unidirectional Proxy Re-Signature with Private Re-Signature Key
OutlineProxy Re-signature
Our ContributionOpen Problems
Observation on the AH ModelThe Artificially Designed SchemeThe Improved Security Model
Scheme Sus (Based on BLS short signature)
Verify:
I σ = (A,B,C ):
e(pk,H(B||1))?= e(g ,C ),
e(B,H(m||0))?= e(g ,A).
I σ = (A,B,C ,D,E ):
e(g ,H(D||2))?= e(pk,E ),
e(D,H(B||1))?= e(g ,C ),
e(B,H(m||0))?= e(g ,A).
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu The Security Model of Unidirectional Proxy Re-Signature with Private Re-Signature Key
OutlineProxy Re-signature
Our ContributionOpen Problems
Observation on the AH ModelThe Artificially Designed SchemeThe Improved Security Model
Security of Scheme Sus
TheoremScheme Sus is secure in the AH model if the eCDH problem ishard, and hash function H is treated as a random oracle.
Definition (eCDH Problem)
Pr[A(g , gu, g v , g1/v ) = guv or gu/v ] ≥ ε,
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu The Security Model of Unidirectional Proxy Re-Signature with Private Re-Signature Key
OutlineProxy Re-signature
Our ContributionOpen Problems
Observation on the AH ModelThe Artificially Designed SchemeThe Improved Security Model
An Attack on Scheme Sus
Alice → Proxy → Bob: Bob delegates his signing rights to Alicevia Proxy.
I Alice: σa = (H(m||0)r , g r ,H(g r ||1)a).
I Proxy: σb = (H(m||0)r , g r , (H(g r ||1)a)rk(1)a→b , rk
(2)a→b, rk
(3)a→b).
I Alice: replace m with what she wants.
This is against private re-signature key property.
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu The Security Model of Unidirectional Proxy Re-Signature with Private Re-Signature Key
OutlineProxy Re-signature
Our ContributionOpen Problems
Observation on the AH ModelThe Artificially Designed SchemeThe Improved Security Model
An Attack on Scheme Sus
Alice → Proxy → Bob: Bob delegates his signing rights to Alicevia Proxy.
I Alice: σa = (H(m||0)r , g r ,H(g r ||1)a).
I Proxy: σb = (H(m||0)r , g r , (H(g r ||1)a)rk(1)a→b , rk
(2)a→b, rk
(3)a→b).
I Alice: replace m with what she wants.
This is against private re-signature key property.
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu The Security Model of Unidirectional Proxy Re-Signature with Private Re-Signature Key
OutlineProxy Re-signature
Our ContributionOpen Problems
Observation on the AH ModelThe Artificially Designed SchemeThe Improved Security Model
The Improved Security Model
Static mode: Before the game starts, the adversary should decidewhich users and proxies are corrupted, and all theverification keys in the security model are generatedby the challenger.
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu The Security Model of Unidirectional Proxy Re-Signature with Private Re-Signature Key
OutlineProxy Re-signature
Our ContributionOpen Problems
Observation on the AH ModelThe Artificially Designed SchemeThe Improved Security Model
The Improved Security Model
Pr[{(pki , ski )← KeyGen(1k)}i∈[0,n],
(pk∗,m∗, σ∗, `∗)← AOs(·),Ork (·),Ors(·),Osk (·) :(pk∗,m∗, σ∗, `∗) satifying the following requirements],
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu The Security Model of Unidirectional Proxy Re-Signature with Private Re-Signature Key
OutlineProxy Re-signature
Our ContributionOpen Problems
Observation on the AH ModelThe Artificially Designed SchemeThe Improved Security Model
The Improved Security Model
1. Verify(pk∗,m∗, σ∗, `∗) = 1.
2. The adversary has not made a secret key query on pk∗
3. The adversary has not made a signature query on (pk∗,m∗).
4. The adversary has not made a signature query on (pk ′,m∗),which the adversary can transform it to the forgery by itself.
5. The adversary has not made a re-signature key query on(pki , pkj), which can be used to transform asignature/re-signature query result to the forgery by theadversary.
6. The adversary has not made a re-signature query on(pki , pkj ,m
∗, σi , ∗), which the adversary can transform it tothe forgery by itself.
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu The Security Model of Unidirectional Proxy Re-Signature with Private Re-Signature Key
OutlineProxy Re-signature
Our ContributionOpen Problems
Observation on the AH ModelThe Artificially Designed SchemeThe Improved Security Model
Discussion on the Improved Security Model
I Previous UPRS-prk schemes are still proven secure in theimproved security model.
I The improved security model can be extended to thechosen-key model by following the spirit mentioned by Libertand Vergnaud.
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu The Security Model of Unidirectional Proxy Re-Signature with Private Re-Signature Key
OutlineProxy Re-signature
Our ContributionOpen Problems
Open Problems
I Pursue the security proofs of the existing UPRS-prk schemesin our security definition with the chosen-key model.
I Design UPRS-prk schemes which can be proven secure in oursecurity definition with the chosen-key model.
Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu The Security Model of Unidirectional Proxy Re-Signature with Private Re-Signature Key