the hierarchy of key evolving signatures and a characterization of proxy signatures
DESCRIPTION
The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures. Tal Malkin (Columbia Univ.) Satoshi Obana (NEC and Columbia Univ.) Moti Yung (Columbia Univ.). Outline of the Talk. Brief Overview of Key Evolving Signatures Forward-Secure Signatures (FS) - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures](https://reader035.vdocuments.net/reader035/viewer/2022070408/568143d2550346895db06017/html5/thumbnails/1.jpg)
The Hierarchy of Key Evolving Signatures and a
Characterization of Proxy Signatures
Tal Malkin (Columbia Univ.)Satoshi Obana (NEC and Columbia
Univ.)Moti Yung (Columbia Univ.)
![Page 2: The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures](https://reader035.vdocuments.net/reader035/viewer/2022070408/568143d2550346895db06017/html5/thumbnails/2.jpg)
Outline of the Talk
• Brief Overview of Key Evolving Signatures– Forward-Secure Signatures (FS)– Key-Insulated Signatures (KI)– Intrusion-Resilient Signatures (IR)
• Security Hierarchy of Key Evolving Sigs.
IR KI FS• Formal Definition of Proxy Signatures• Characterization of Proxy Signatures
Proxy KI
![Page 3: The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures](https://reader035.vdocuments.net/reader035/viewer/2022070408/568143d2550346895db06017/html5/thumbnails/3.jpg)
The Hierarchy ofKey Evolving Signatures
![Page 4: The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures](https://reader035.vdocuments.net/reader035/viewer/2022070408/568143d2550346895db06017/html5/thumbnails/4.jpg)
Key Evolving Signatures
• Localize damage of secret key exposure– Splitting time into periods: 0,1,…,T– Updating secret (signing) key for each period without
changing public (verification) key
• Several models exist (for different settings and different security goals)– Forward-Secure Signatures (FS) [And97,BM99]– Key-Insulated Signatures (KI) [DKXY02]– Intrusion-Resilient Signatures (IR) [IR02]
![Page 5: The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures](https://reader035.vdocuments.net/reader035/viewer/2022070408/568143d2550346895db06017/html5/thumbnails/5.jpg)
SK0SKj-1
Signer
Forward-Secure Signatures
Gen1k,T
Upd Sign
PK
SKj-1
SKj
SKj M
Vrfy<j,sig> Accept
Reject
![Page 6: The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures](https://reader035.vdocuments.net/reader035/viewer/2022070408/568143d2550346895db06017/html5/thumbnails/6.jpg)
Security of FS Signature
• The adversary has access to – The signing oracle Osig(M,i) outputs the valid signatu
re for the message M in the time period i– The key exposure oracle Osec(“s”, j) outputs the secr
et key SKj of the time period j
• The adversary successfully breaks the scheme if it outputs (M,<i,s>) s.t.– (M,i) is never queried to the signing oracle– (“s”, i’) is never queried to the key exposure oracle
such that i’< i
![Page 7: The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures](https://reader035.vdocuments.net/reader035/viewer/2022070408/568143d2550346895db06017/html5/thumbnails/7.jpg)
SK0SKi
Key-Insulated Signatures
Signer
Gen1k,T
Upd
SKi
SKj
SKj
SK*Base
Upd*
PK
Sign
VrfyM
<j,sig>
Securely protected
SK’i,j
i, j
KI possesses random access key capability
![Page 8: The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures](https://reader035.vdocuments.net/reader035/viewer/2022070408/568143d2550346895db06017/html5/thumbnails/8.jpg)
Security of KI Signature
• The adversary has access to – The signing oracle Osig(M,i) outputs the valid signatu
re for the message M in the time period i– The key exposure oracle Osec(“s”, j) outputs the secr
et key SKj of the time period j
• The adversary successfully breaks the scheme if it outputs (M,<i,s>) s.t.– (M,i) is never queried to the signing oracle– (“s”,i) is never queried to the key exposure oracle
![Page 9: The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures](https://reader035.vdocuments.net/reader035/viewer/2022070408/568143d2550346895db06017/html5/thumbnails/9.jpg)
SKS0.0SKB0.0SKB(j-1).r SKS(j-1).r
Intrusion-Resilient Signatures
Signer
Gen1k,T
Upd
SignSKSj.r
Vrfy
Base
Upd*
PK
Refr* RefrSKRj.r
SKBj.r
NOT protected
SKS(j-1).rSKB(j-1).r
SKUj-1
SKBj.0
SKBj.0
SKSj.0
SKSj.0SKBj.r SKSj.r
SKBj.(r+1)
SKBj.(r+1)
SKSj.(r+1)
SKSj.(r+1)SKSj.rSKBj.r
<j,sig>
M
![Page 10: The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures](https://reader035.vdocuments.net/reader035/viewer/2022070408/568143d2550346895db06017/html5/thumbnails/10.jpg)
Security of IR Signature• The adversary has access to
– The signing oracle Osig(M,i.r) outputs Sign(SKSi,r, M)
– The key exposure oracle Osec(query) outputs• SKSj,r if query=(“s”, j.r)
• SKBj.r if query=(“b”, j.r)
• SKUj and SKRj+1.0 if query=(“u”, j)
• SKRj.r if query=(“r”, j.r)
• The adversary successfully breaks the scheme if it outputs (M,<i,s>) s.t.– (M,i) is never queried to the signing oracle– SKSi,r is not exposed by the oracle calls
– No SKSi’.r’ and SKBi’.r’ are exposed by the oracle calls for any i’<i
![Page 11: The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures](https://reader035.vdocuments.net/reader035/viewer/2022070408/568143d2550346895db06017/html5/thumbnails/11.jpg)
Question:Are there any relations among these “similar” models?
Answer:
Security hierarchy exists among these models!
IR KI FSFurther, all the security reductions are tight (via concrete security analysis)
Yes!
![Page 12: The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures](https://reader035.vdocuments.net/reader035/viewer/2022070408/568143d2550346895db06017/html5/thumbnails/12.jpg)
Theorem (IR KI)
We can construct KI from IR in such a way that if there exists adversary which breaks KI (constructed from IR) then we can construct adversary which breaks IR
),,,( secsig qq
),,,( secsig qq
where• : running time of the adversary• : success probability of the adversary• : number of queries to signing oracle• : number of queries to key exposure oracle
secq
sigq
![Page 13: The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures](https://reader035.vdocuments.net/reader035/viewer/2022070408/568143d2550346895db06017/html5/thumbnails/13.jpg)
Constructing KI from IR (Gen)
Signer
Gen
1k
Upd Sign Vrfy
Base
Upd*
Gen(IR) 1k
SKB0.0 SKS0.0 PKRefr(IR)Refr*(IR)
SK*=<SKB0.1,SKS0.1> SK0=SKS0.1 PK=PK(IR)
![Page 14: The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures](https://reader035.vdocuments.net/reader035/viewer/2022070408/568143d2550346895db06017/html5/thumbnails/14.jpg)
SKB0.1 SKS0.1SKB1.0 SKS1.0SKS1.1
Constructing KI from IR (Upd*)
Signer
Upd Sign
SKi
Base
Refr*(IR)
SK*=<SKB0.1,SKS0.1>
Refr(IR)
Upd(IR)Upd*(IR)
Upd*
i, j
SK’i,j=SKSj.1
SKS2.0SKS2.1SKS3.0SKS3.1SKSj.0SKSj.1SKB1.1SKB2.0SKB2.1SKB3.0SKB3.1SKBj.0SKBj.1
Random access to the key can be achieved
![Page 15: The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures](https://reader035.vdocuments.net/reader035/viewer/2022070408/568143d2550346895db06017/html5/thumbnails/15.jpg)
Constructing KI from IR (cont’d)
Base
Upd
SK*
SignerSKi=SKSi.1
Upd Sign Vrfy
SK’i,j=SKSj.1
Sign(IR) Vrfy(IR)
PK=PK(IR)
M
AcceptReject
SKj=SKSj.1
![Page 16: The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures](https://reader035.vdocuments.net/reader035/viewer/2022070408/568143d2550346895db06017/html5/thumbnails/16.jpg)
Constructing Oracles
Oracles for KI can be also constructed from oracles for IR as follows
– Osig(M, j) = Osig(M, j.1)– Osec(“s”, j) = Osec(“s”, j.1)
It is easy to see if the adversary successfully breaks KI then the adversary also breaks IR with the same output.
![Page 17: The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures](https://reader035.vdocuments.net/reader035/viewer/2022070408/568143d2550346895db06017/html5/thumbnails/17.jpg)
Other relations
• KI IR: IR can be constructed from KI by sharing signer keys of KI between the signer and the base of IR
• IR FS: Straightforward (All the algorithms of the signer and the base are put into the signer of FS)
• Both reductions are tight (in the sense of no security loss in the reductions)
![Page 18: The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures](https://reader035.vdocuments.net/reader035/viewer/2022070408/568143d2550346895db06017/html5/thumbnails/18.jpg)
A Characterization ofProxy Signatures
![Page 19: The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures](https://reader035.vdocuments.net/reader035/viewer/2022070408/568143d2550346895db06017/html5/thumbnails/19.jpg)
Proxy Signatures
• Method of giving (partial) signing right of an entity (delegator) to the others (proxy signer)
• A lot of schemes have been proposed so far but a few of them are proven to be secure
• No formal model exists (except [BPW03] which gives a formal model for one-level delegation)
![Page 20: The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures](https://reader035.vdocuments.net/reader035/viewer/2022070408/568143d2550346895db06017/html5/thumbnails/20.jpg)
Our Results on Proxy Signatures
• Formal model for “fully hierarchical” proxy signature (based on [BPW03])
• Characterization of proxy signatures via key evolving signature:
Proxy KI
![Page 21: The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures](https://reader035.vdocuments.net/reader035/viewer/2022070408/568143d2550346895db06017/html5/thumbnails/21.jpg)
Model of Proxy Signatures
Proxy Signer
Gen1k
PSigSign
Vrfy
Delegator
DlgD DlgP
SKD PKD
PVrf
M
sig
acceptreject
w SKPD>P W
M
ps
acceptreject
SKP PKP
![Page 22: The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures](https://reader035.vdocuments.net/reader035/viewer/2022070408/568143d2550346895db06017/html5/thumbnails/22.jpg)
Multi-Level Delegation
Proxy Signer
PSig
Delegator
DlgD DlgP
SKP PKPwD>PSKPI>D>P WI>D>PSKPI>D WI>D
If the delegator wants to delegate the signing right which she is delegated from others
PK
![Page 23: The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures](https://reader035.vdocuments.net/reader035/viewer/2022070408/568143d2550346895db06017/html5/thumbnails/23.jpg)
Self Delegation
Proxy SignerDelegator
DlgD DlgP
SKD PKDPKDwD>P
If the delegator wants to delegate the signing right to herself (possibly to an insecure device)
SKD
Secret key of the delegator is not inputted in the case of
self delegation
![Page 24: The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures](https://reader035.vdocuments.net/reader035/viewer/2022070408/568143d2550346895db06017/html5/thumbnails/24.jpg)
Security def. of Proxy Signatures
The adversary has access to– Signing Oracle Osig – Key exposure Oracle Osec – Delegation Oracle ODlg interacts with the adve
rsary on behalf of DlgD or DlgP
Proxy signature is secure if the adversary cannot forge a proxy signature (non-proxy signature) when the adversary cannot compute the proxy signing key and the warrant (signing key) through the queries to the oracles
![Page 25: The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures](https://reader035.vdocuments.net/reader035/viewer/2022070408/568143d2550346895db06017/html5/thumbnails/25.jpg)
Proxy Sigs. and Key Evolving Sigs.
Some similarities exist– Localize the damage of key exposure– Prevent non-delegated users (who knows its
signing key) from forging the proxy signature
– Key is evolved for “each time period”– Proxy signing key is generated for “each
delegation”
Characterization of Proxy Signatures via Key Evolving Signatures (Equivalence between KI and
Proxy)
![Page 26: The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures](https://reader035.vdocuments.net/reader035/viewer/2022070408/568143d2550346895db06017/html5/thumbnails/26.jpg)
Theorem (Proxy KI)
We can construct KI from Proxy in such a way that if there exists adversary which breaks KI (constructed from Proxy) then we can construct adversary which breaks Proxy s.t.
),,,,( DlgPS
secPS
sigPSPSPS qqq
),,,( secKI
sigKIKIKI qq
where• : running time of the adversary• : success probability of the adversary• : number of queries to oracle A
Aq
secKI
DlgPS
secKI
secPS
sigKI
sigPSKIPSKIPS ,,,, qqqqqq
![Page 27: The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures](https://reader035.vdocuments.net/reader035/viewer/2022070408/568143d2550346895db06017/html5/thumbnails/27.jpg)
Theorem (KI Proxy)
We can construct Proxy (with n delegator and the number of self delegation is limited to c) from KI in such a way that if there exists adversary which breaks Proxy (constructed from KI) then we can construct adversary which breaks KI s.t.
),,,,( DlgPS
secPS
sigPSPSPS qqq
),,,( secKI
sigKIKIKI qq
DlgPS
secPS
secKI
DlgPS
sigPS
sigKI
PSKIPSKI
,
,,
qcqqqqq
![Page 28: The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures](https://reader035.vdocuments.net/reader035/viewer/2022070408/568143d2550346895db06017/html5/thumbnails/28.jpg)
Conclusion
• Security Hierarchy of Key Evolving Signatures.
IR KI FS• Formal Definition of Fully
Hierarchical Proxy Signatures
• Characterization of Proxy Signatures
Proxy KI
![Page 29: The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures](https://reader035.vdocuments.net/reader035/viewer/2022070408/568143d2550346895db06017/html5/thumbnails/29.jpg)
Thank you!
![Page 30: The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures](https://reader035.vdocuments.net/reader035/viewer/2022070408/568143d2550346895db06017/html5/thumbnails/30.jpg)
Difference among the modelsBase Key
Evolution Security
FS sequential
Past signatures are protected
KI SecureRandom access is possible
Signatures of all the uncorrupted time periods are protected
IR Insecuresequenti
al
Signatures of all the uncorrupted time periods are protected
Forward Security can be assured even if signer key and base key are corrupted simultaneously