The security model of unidirectional proxy re-signature with private re-signature key

OutlineProxy Re-signature

Our ContributionOpen Problems

The Security Model of Unidirectional ProxyRe-Signature with Private Re-Signature Key

Jun Shao1,2, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu

1College of Computer and Information Engineering,Zhejiang Gongshang University

2College of Information Sciences and Technology,Pennsylvania State University

2010-07-06ACISP 2010, Sydney

Jun Shao, Min Feng, Bin Zhu, Zhenfu Cao and Peng Liu The Security Model of Unidirectional Proxy Re-Signature with Private Re-Signature Key



Proxy Re-signature

Our ContributionObservation on the AH ModelThe Artificially Designed SchemeThe Improved Security Model

Open Problems




Proxy Re-signature

Informally speaking, proxy re-signature (PRS) is such a kind ofsignature where a semi-trusted proxy with some additionalinformation (a.k.a, re-signature key) can transform a signature ofAlice (delegatee) to another signature of Bob (delegator) on thesame message. However, the proxy cannot produce an arbitrarysignature on behalf of either the delegatee or the delegator.




Desired Properties

I Unidirectional

I Multi-use

I Private re-signature key

I Transparent

I Key-optimal

I Non-interactive

I Non-transitive

I Temporary




Observation on the AH ModelThe Artificially Designed SchemeThe Improved Security Model

Definition for Unidirectional Proxy Re-signature withPrivate Re-signature Key (UPRS-prk)

KeyGen: (pk, sk)← KeyGen(1k).

ReKey: rkA→B ← ReKey(pkA, pkB , skB).

Sign: σ ← Sign(sk ,m, `). ` = 1, owner-type signature;` > 1, non-owner-type signature.

ReSign: σB ← ReSign(rkA→B , pkA,m, σA, `).

Verify: (1 or 0)← Verify(pk,m, σ, `).





The AH Model: External Security

No inside attacker

Pr[{(pki , ski )← KeyGen(1k)}i∈[1,n],

(t,m∗, σ∗, `∗)← AOs(·),Ors(·)({pki}i∈[1,n]) :Verify(pkt ,m

∗, σ∗, `∗) = 1 ∧ (t,m∗) 6∈ Q],





The AH Model: Limited Proxy

The proxy is the possible inside attacker


(t,m∗, σ∗, `∗)← AOs(·),Ork (·)({pki}i∈[1,n]) :Verify(pkt ,m

∗, σ∗, `∗) = 1 ∧ (t,m∗) 6∈ Q],





The AH Model: Delegatee Security

The proxy and delegator are the possible inside attacker


(m∗, σ∗, `∗)← AOs(·)(pk0, {pki , ski}i∈[1,n]) :Verify(pk0,m

∗, σ∗, `∗) = 1 ∧ (0,m∗) 6∈ Q],





The AH Model: Delegator Security

The proxy and delegatee are the possible inside attacker


(m∗, σ∗, 1)← AOs(·),Ork (·)(pk0, {pki , ski}i∈[1,n]) :Verify(pk0,m

∗, σ∗, 1) = 1 ∧ (0,m∗) 6∈ Q],





Scheme Sus (Based on BLS short signature)

KeyGen: pk = ga and sk = a.

ReKey:

rkA→B = (rk(1)A→B , rk

(2)A→B , rk

(3)A→B) = (r ′, (pkA)r

′,H(g a·r ′ ||2)1/b).

Sign:

I σ = (A,B,C ) = (H(m||0)r , g r ,H(g r ||1)a).I σ = (A,B,C ,D,E ) =

(H(m||0)r1 , g r1 ,H(g r1 ||1)r2 , g r2 ,H(g r2 ||2)1/a).






ReSign:

σ′ = (A′, B ′, C ′, D ′, E ′)

= (A, B, C rk(1)A→B , rk

(2)A→B , rk

(3)A→B)

= (H(m||0)r , g r , H(g r ||1)ar′, (pkA)r

′, H((pkA)r

′ ||2)1/b)= (H(m||0)r1 , g r1 , H(g r1 ||1)r2 , g r2 , H(g r2 ||2)1/b)






Verify:

I σ = (A,B,C ):

e(pk,H(B||1))?= e(g ,C ),

e(B,H(m||0))?= e(g ,A).

I σ = (A,B,C ,D,E ):

e(g ,H(D||2))?= e(pk,E ),

e(D,H(B||1))?= e(g ,C ),

e(B,H(m||0))?= e(g ,A).





Security of Scheme Sus

TheoremScheme Sus is secure in the AH model if the eCDH problem ishard, and hash function H is treated as a random oracle.

Definition (eCDH Problem)

Pr[A(g , gu, g v , g1/v ) = guv or gu/v ] ≥ ε,





An Attack on Scheme Sus

Alice → Proxy → Bob: Bob delegates his signing rights to Alicevia Proxy.

I Alice: σa = (H(m||0)r , g r ,H(g r ||1)a).

I Proxy: σb = (H(m||0)r , g r , (H(g r ||1)a)rk(1)a→b , rk

(2)a→b, rk

(3)a→b).

I Alice: replace m with what she wants.

This is against private re-signature key property.





The Improved Security Model

Static mode: Before the game starts, the adversary should decidewhich users and proxies are corrupted, and all theverification keys in the security model are generatedby the challenger.







(pk∗,m∗, σ∗, `∗)← AOs(·),Ork (·),Ors(·),Osk (·) :(pk∗,m∗, σ∗, `∗) satifying the following requirements],






1. Verify(pk∗,m∗, σ∗, `∗) = 1.

2. The adversary has not made a secret key query on pk∗

3. The adversary has not made a signature query on (pk∗,m∗).

4. The adversary has not made a signature query on (pk ′,m∗),which the adversary can transform it to the forgery by itself.

5. The adversary has not made a re-signature key query on(pki , pkj), which can be used to transform asignature/re-signature query result to the forgery by theadversary.

6. The adversary has not made a re-signature query on(pki , pkj ,m

∗, σi , ∗), which the adversary can transform it tothe forgery by itself.





Discussion on the Improved Security Model

I Previous UPRS-prk schemes are still proven secure in theimproved security model.

I The improved security model can be extended to thechosen-key model by following the spirit mentioned by Libertand Vergnaud.




Open Problems

I Pursue the security proofs of the existing UPRS-prk schemesin our security definition with the chosen-key model.

I Design UPRS-prk schemes which can be proven secure in oursecurity definition with the chosen-key model.




Thank You!


The security model of unidirectional proxy re-signature with private re-signature key

Documents

Transcript of The security model of unidirectional proxy re-signature with private re-signature key