1. Introduction
In traditional public key cryptography, a certificate authority is in charge of issuing certificates to users verifying that the public keys indeed belong to them. The down side of these certificates is that when the amount of users grows larger, the cost of managing these certificates increases as well. In identity-based cryptography, first proposed by Shamir in [1], a user can implicitly certify himself through the use of a unique identity-string binding him to his user secret key. However, the Trusted Authority who generates these keys still has access to the master secret key and therefore knows every user's secret. This key escrow, although desirable in certain situations, poses a security concern in others.
In the paradigm of certificateless cryptography, first proposed by Al-Riyami and Paterson in [2], the key generation center generates only a partial private key of the user. The user takes this partial secret key and combines it with a personal secret value to produce a full user secret key. This secret value is hidden from the key generation center and thus removes the key escrow. Identity-based cryptography also has the desired property of doing away with certificates, similar to certificateless cryptography. However, while there have been many advances in the realm of encryption and signature primitives for certificateless cryptography, the identification primitive has been virtually untouched.
An identification scheme allows a prover to prove himself to a verifier with the verifier learning nothing about the prover's secret key. Neven et al. in [3] and Kurosawa and Heng in [4] first pioneered the rigorous definition of identity-based identification, and their work has been incrementally improved upon over the most of the last decade in works such as [5-12]. However, to date little has been done to define and construct certificateless identification schemes. Some preliminary work has come in the form of [13] where the authors proposed a new and fairly effective scheme but without a proper definition of security models and proofs. [14] recently showed that the schemes in [13] are indeed insecure. A second but more comprehensive independent work has come in the form of [15] but the scheme is only provable secure in the random oracle model.
The random oracle model was first proposed by Bellare and Rogaway in [16]. Random oracles are treated as idealistic hash functions in a security proof where no mathematical parameters can be used to define the properties of random oracles. Open to honest and malicious parties alike, random oracles generate fully random responses to new queries while returning the same responses for queries that have been made before. However, since they are idealistic, random oracles cannot exist in the real world. In practice, regular hash functions are used to substitute these random oracles when implementing a cryptosystem. Canetti et al. in [17] showed that there are instances of cryptosystems where the cryptosystem can be broken if the random oracles are replaced by ordinary hash functions. Therefore it is our observation that while proofs of security in the random oracle model are better than having no proofs at all, it is more desirable to construct cryptosystems that are provable secure in the standard model.
In this paper, we provide the definitions of certificateless identification and proceed to construct a certificateless identification scheme that is efficient and provable secure in the standard model. This, as opposed to a proof in the random oracle model, is more desirable in rigorously defining security for a cryptosystem.
We divide our paper into the following sections: In Section 2 we introduce preliminary definitions required for certificateless identification schemes. In Section 3 we show the construction of our scheme. In Section 4 we provide four security proofs in the standard model - passive security against Type-1 and Type-2 adversaries, as well as active/concurrent security against Type-1 and Type-2 adversaries. In Section 5 we show the operation costs of the scheme and conclude in Section 6.
2. Preliminaries
2.1. Bilinear Pairings
Let G1 and G2 be cyclic multiplicative groups of prime order q where the discrete logarithm problems are intractable. Then e: G1 × G1 → GT is an admissible bilinear map if it satisfies
2.2. Problems and Assumptions
We use the following hard problems to prove our certificateless identification scheme is secure
The Computational Diffie-Hellman assumption and the One-More Computational Diffie-Hellman assumption state that there are no polynomial time algorithms for solving the discrete logarithm problem and the one-more discrete logarithm problems with non-negligible probability respectively.
2.3. The Knowledge of Exponent Assumption [19]
We use the Knowledge of Exponent Assumption for the proof against Type-1 adversaries, for the case when a target identity’s public key is replaced. Let k = log|〈g〉| be the security parameter of a prime order group where g is a generator. For any probabilistic polynomial time algorithm A that takes as input g and ga, where a is chosen from [0,|〈g〉| - 1] uniformly at random, and which produces as output a pair of the form (x, y), x ∈〈g〉, there exists a probabilistic polynomial time extractor E, which takes in the same input and outputs the pair (x, y) along with an exponent r such that for sufficiently large k, Pr [y = xa ∧ gr ≠ x] ≤ for any polynomial Q.
2.4. Definition for Certificateless Identification Schemes
A certificateless scheme consists of six probabilistic polynomial time algorithms (Setup, Set-User-Key, Partial-Private-Key-Extract, Set-Private-Key, Prove and Verify).
2.5. Security Notion For Certificateless Identification Scheme
We consider four types of adversaries for the certificateless identification scheme:
The difference in capability between passive and active impersonators is the passive impersonator can only eavesdroρ on conversations between honest parties, while the active impersonator can act as a cheating verifier to gain knowledge from honest provers through interacting with them. The concurrent impersonator is an active impersonator who can run several instances of the protocol simultaneously.
We also classify adversary subtypes based on adversaries of certificateless signature schemes according to the definitions by [20,21]. These subtypes are the Normal, Strong and Super type adversary for Type 1 and Type 2 categories, which are differing in what parameters they have.
The strength of these classifications are in increasing order, i.e. if a scheme is secure against super-type adversaries, it is secure against normal-type adversaries as well.
We describe the security model of CLI schemes against Type-1 and Type-2 impersonators in terms of the following games. We highlight the differences between each game with respect to the capabilities when making identification queries, for both passive and active/concurrent impersonators as well as Normal, Strong and Super adversaries.
Game I. The game played between a challenger C and the Type-1 impersonator I1 for the CLI scheme is as follows:
3) Phase 2. I1 will eventually output the challenge identity ID* and then changes role to then play the role of the cheating prover. C, in turn, assumes the role of the verifier. I1 wins the game if it manages to convince C to accept.
We say a CLI scheme is (t, qI, ε)-secure under passive or active/concurrent attacks if for any passive or active/concurrent Type-1 impersonator I1 who runs in time t, Pr [I1 can impersonate] < ε, where I1 can make at most qI extract queries on full private keys.
Game II. The game played between a challenger C and the Type-2 Impersonator I2 for the CLI scheme is as follows:
Note that I2 does not need to perform ExtrPartSK queries as it already has the master secret key and can generate partial private keys by itself. I2 is also not allowed to replace the public key of the challenge identity, but is able to do so for any other user.
We say a CLI scheme is (t, qI, ε)-secure under passive or active/concurrent attacks if for any passive or active/concurrent Type-2 impersonator I2 who runs in time t, Pr [I2 can impersonate] < ε, where I2 can make at most qI extract queries on full private keys.
3. Construction
In this section we show the construction of the new certificateless identification scheme. Let G and GT be finite cyclic groups of large prime order q and let g be a generator of G. Use a collision-resistant hash function H:{0,1}* → {0,1}n to hash identity strings of arbitrary length to size n.
To check for completeness:
and
4. Security Analysis
In this section, a security analysis on the certificateless identification scheme is presented. The scheme manages to achieve security against Super-Type-1 and Super-Type-2 adversaries for impersonation under passive attacks, and security against Strong-Type-1 and Strong-Type-2 adversaries for impersonation under active/concurrent attacks, all in the standard model.
4.1 Security Against Type-1 Impersonation under Passive Attacks
Theorem 1. The certificateless identification scheme is (t, qI, ε)-secure against Super-Type-1 impersonators under passive attack in the standard model if the CDHP is (t', ε')-hard where
where ρ represents time taken to do a multiplication in G, τ is the time taken to do an exponentiation in G, qe represents the number of extract queries made, qi represents the number of transcript queries made and qI = qe + qi.
Proof. Suppose there exists an impersonator I1 who (t, qI, ε)-breaks the IBI scheme. Then we show an algorithm M which (t', ε')-breaks the CDH assumption by running I1 as a subroutine. M is given a group G, a generator g ∈ G and elements ga, gb. Without loss of generality, it can be assumed any ExtrPartSK, RequestPK, ExtrFullSK and Identification queries are preceded by a CreateUser query, while Identification and ExtrFullSK queries are preceded by a RequestPK query. M simulates the challenger for I1 as follows:
Eventually I1stops phase 1 and outputs the challenge identity, ID*, on which it wishes to be challenged on. M checks if F(ID*) = 0 mod q then reports failure and aborts if not. Otherwise M runs I1 now as a cheating prover on ID*. M obtains (X, Y, R, c1, z1) then resets I1 to its previous state where it just sent its commitment to obtain (X, Y, R, c2, z2). In both cases, it must hold that e(g1 , UPK1,ID*) = e(UPK2,ID*, g) for all public values of , UPK1,ID*, UPK2,ID* of ID*. Based on the Reset Lemma [22], M is then able to extract the full private key as
By using the knowledge of exponent assumption from [19], M can either extract σ if 〈UPK1,ID*, UPK2,ID*〉 = 〈gσ, gaσ〉 were generated from g, ga, or extract ϱ if 〈UPK1,ID* , UPK2,ID*〉 = 〈gσϱ, gaσϱ〉 were generated from gσ, gaσ.
For the first case, M calculates the solution to the CDH problem as:
For the second case, M calculates the solution to the CDH problem as:
It remains to calculate the probability of M solving the CDH problem and winning the game. The probability of M successfully extracting 2 valid transcripts from I1 is given by as given by the Reset Lemma [21]. Upon extraction of USK1,ID*, M will be able to compute gab.
We break down the probability of M winning the CDHP to:
Finally, calculate Pr [¬abort]. Define the following events:
Calculate the probability of A* as:
Notice that:
Since l = 2qe in the simulation, therefore
Putting them together, the advantage of M in breaking CDHP is:
4.2 Security Against Type-1 Active/Concurrent Attacks
Theorem 1. The certificateless identification scheme is (t, qI, ε)-secure against Strong-Type-1 impersonators under active/concurrent attack in the standard model if the OMCDHP is (t", q", ε")-hard where
where ρ represents time taken to do a multiplication in G, τ is the time taken to do an exponentiation in G, – qe represents the number of extract queries made, qi represents the number of transcript queries made and qI = qe + qi.
Proof. Define the following as the impersonation under active/concurrent attack (IMP-AA/CA-1) game. Assume that if the certificateless identification scheme is (t, qI, ε)-breakable by an impersonator I1, then we can show a simulator M that (t", q", ε")-breaks the OMCDHP. M is given a challenge oracle CHALL which provides random points in G1and a solution oracle CDH that upon an input h outputs ha. In order to win the game, M has to provide the solutions to n queries to CHALL by using strictly less queries to CDH. To begin, M is given (g , g1 = ga). M then queries CHALL for the initial challenge W0 and runs the Type-1 impersonator I1 as a subroutine. Without loss of generality, it can be assumed any ExtrPartSK, RequestPK, ExtrFullSK and Identification queries are preceded by a CreateUser query, while Identification and ExtrFullSK queries are preceded by a RequestPK query. The way the environment is simulated for I1 is similar to that of the IMP-PA-1 game, and hence only the differences are shown.
Eventually I1 stops phase 1 and outputs the challenge identity, ID*, on which it wishes to be challenged on. M checks if F(ID*) = 0 mod q then reports failure and aborts if not. Otherwise M runs I1 now as a cheating prover on ID*. M obtains (X, Y, R, c1, z1) then resets I1 to its previous state where it just sent its commitment to obtain (X, Y, R, c2, z2). In both cases, it must hold that e(g1, UPK1,ID*) = e(UPK2,ID*, g) for all public values of UPK1,ID*, UPK 2,ID* of ID*. Based on the Reset Lemma [22], M is then able to extract the full private key as
By using the knowledge of exponent assumption from [19], M can either extract σ if 〈UPK1,ID*, UPK2,ID*〉=〈gσ, gaσ〉 were generated from g, ga, or extract ϱ if 〈UPK1,ID*, UPK2,ID*〉=〈gσϱ, gaσϱ〉 were generated from gσ, gaσ.
For the first case, M calculates the solution to the CDH problem as:
For the second case, M calculates the solution to the CDH problem as:
Recall that sIDi is provided by I1 for every m-th Identification query for the corresponding public key of IDi being used, both for original or replaced. M then proceeds to calculate the solutions for the challenges W1,…,Wm as:
The probability of M winning the OMCDHP is the same as in the IMP-PA-1 game, except that ε', the advantage of M in solving the CDH problem is substituted with ε", the advantage of M in solving the OMCDHP game.
4.3 Security Against Type-2 Impersonation under Passive Attacks
Theorem 1. The certificateless identification scheme is (t, qI, ε)-secure against Strong-Type-2 impersonators under passive attack in the standard model if the CDHP is (t', ε')-hard where
where ρ represents time taken to do a multiplication in G, τ is the time taken to do an exponentiation in G , qe represents the number of extract queries made, qi represents the number of transcript queries made and qI = qe + qI.
Proof. Suppose there exists an impersonator I2 who (t, qI, ε)-breaks the IBI scheme. Then we show an algorithm M which (t', ε')-breaks the CDH problem by running I2 as a subroutine. M is given a group G, a generator g ∈ G and, to keep with the consistency of scheme definitions, elements defined as gs, gb. Without loss of generality, it can be assumed any RequestPK, ExtrFullSK and Identification queries are preceded by a CreateUser query, while Identification and ExtrFullSK queries are preceded by a RequestPK query. M simulates the challenger for I2 as follows:
Note that for both cases the public keys need to hold for the verifier’s first check equation e(g1, UPK1,IDi) = e(UPK2,IDi, g). In other words, the new public values of UPK'1,IDi, UPK'2,IDi of all IDs must fulfill the check equation even with the replaced public keys, thus requiring I2 to submit valid public key replacement values for ReplacePK queries and a valid sv for Identification queries.
Eventually I2 stops phase 1 and outputs the challenge identity, ID*, on which it wishes to be challenged on. M checks if F(ID*) = 0 mod q then reports failure and aborts if not. Otherwise M runs I2 now as a cheating prover on ID*. M obtains (X, Y, R, c1, z1) then resets I2 to its previous state where it just sent its commitment to obtain (X, Y, R, c2, z2). In both cases, it must hold that e(g1, UPK1,ID*) = e(UPK2,ID*, g) for all public values of UPK1,ID*, UPK2,ID* of ID*. Based on the Reset Lemma [22], M is then able to extract the full private key as
Since I2 is not allowed to replace the public key of ID*, M calculates the solution to the CDH problem as:
For the second case, M calculates the solution to the CDH problem as:
It remains to calculate the probability of M solving the CDH problem and winning the game. The probability of M successfully extracting 2 valid transcripts from I1 is given by as given by the Reset Lemma [21]. Upon extraction of USK1,ID*, M will be able to compute gbs. We break down the probability of M winning the CDHP to:
Finally, calculate Pr [¬abort]. Define the following events:
Calculate the probability of A* as:
Notice that:
Since l = 2qe in the simulation, therefore
Putting them together, the advantage of M in breaking CDHP is:
4.4 Security Against Type-2 Active/Concurrent Attacks
Theorem 1. The certificateless identification scheme is (t, qI, ε)-secure against Strong-Type-2 impersonators under active/concurrent attack in the standard model if the OMCDHP is (t", q", ε")-hard where
where ρ represents time taken to do a multiplication in G, τ is the time taken to do an exponentiation in G, qe represents the number of extract queries made, qi represents the number of transcript queries made and qI = qe + qi.
Proof. Define the following game as the impersonation under active/concurrent attack (IMP-AA/CA-2) game. Assume that the certificateless identification scheme is (t, qI, ε)-breakable by an impersonator I2, then we can show a simulator M that (t", q", ε")-breaks the OMCDHP. M is given a challenge oracle CHALL which provides random points in G1and a solution oracle CDH that upon input h outputs ha. M has to provide the solutions to n queries to CHALL by using strictly less queries to CDH in order to win the game. To begin, M is given (g, g1 = ga). M then queries CHALL for the initial challenge W0 and runs the Type-2 impersonator I2 as a subroutine. Without loss of generality, it can be assumed any RequestPK, ExtrFullSK and Identification queries are preceded by a CreateUser query, while Identification and ExtrFullSK queries are preceded by a RequestPK query. The way the environment is simulated for I2 is similar to that of the IMP-PA-2 game, and hence only the differences are shown.
Eventually I2 stops phase 1 and outputs the challenge identity, ID*, on which it wishes to be challenged on. M checks if F(ID*) = 0 mod q then reports failure and aborts if not. Otherwise M runs I2 now as a cheating prover on ID*. M obtains (X, Y, R, c1, z1) then resets I2 to its previous state where it just sent its commitment to obtain (X, Y, R, c2, z2). In both cases, it must hold that e(g1, UPK1,ID*) = e(UPK2,ID*, g) for all public values of UPK1,ID*, UPK2,ID* of ID*. Based on the Reset Lemma [22], M is then able to extract the full private key as
Since I2 is not allowed to replace the public key of ID*, M calculates the solution to the OMCDHP as:
M then proceeds to calculate the solutions for the challenges W1,…,Wm as:
The probability of M winning the OMCDHP is the same as IMP-PA-2 game, except that ε', the advantage of M in solving the CDH problem is substituted with ε", the advantage of M in solving the OMCDHP game.
5. Efficiency Analysis
We give the operational cost of the certificateless identification scheme in Table 1.
Table 1.Operation Costs for the Certificateless Identification Scheme
Since the certificateless identification scheme is constructed based on an extension of the identity-based identification scheme from [23] to the certificateless setting, similar pre-computations are able to be conducted in order to reduce operation costs.
One can pre-compute the value of = e(UID, USK2,ID) beforehand, since this value is fixed, then calculate X = for Prover each time the protocol is run. This will reduce up to n + 1 times of multiplication in G1 for both Prover and Verifier, and one pairing operation on Prover.
Another pre-computation operation available is to pre-compute and store U = (u'Πɩ∈ID uɩ) within Prover. This can later be sent as part of the commitment to Verifier so that Verifier does not require a second calculation. This saves another n + 1 multiplications in G1 for Verifier.
The operation costs of Prover and Verifier with pre-computation is given in Table 2.
Table 2.Operation Costs for the Identification Protocol with Pre-computation
6. Conclusion
In this paper, we proposed a certificateless identification scheme with provable security in the standard model. This scheme provides a stronger security guarantee due to its non-reliance on the existence of random oracles. It is also the first ceritficateless identification scheme to have provable security in the standard model. The scheme is provable secure against both Type-1 and Type-2 impersonators, both passive and active/concurrent alike assuming the CDHP and OMCDHP is hard. It is secure against Super-Type-1 and Strong-Type-2 adversaries with regard to passive adversaries and secure against Strong-Type-1 and Strong-Type-2 adversaries with regard to active/concurrent security.
One interesting problem is to increase the security even more to propose a certificateless identification scheme provable secure in the standard model against Super-Type adversaries for active/concurrent attacks. Another direction the research on certificateless identification can take is to apply formal methods for proving certificateless identification schemes secure.
참고문헌
- Shamir, A.. "Identity-based cryptosystems and signature schemes," Advances in cryptology, Springer Berlin Heidelberg, pp. 47-53, January, 1985.
- Al-Riyami, S. S., & Paterson, K. G., "Certificateless public key cryptography," Advances in Cryptology-ASIACRYPT 2003, Springer Berlin Heidelberg, pp. 452-473, 2003.
- Bellare, M., Namprempre, C., & Neven, G., "Security proofs for identity-based identification and signature schemes," Journal of Cryptology, 22(1), 1-61, 2009. https://doi.org/10.1007/s00145-008-9028-8
- Kurosawa, K., & Heng, S. H., "From digital signature to ID-based identification/signature" Public Key Cryptography-PKC 2004, Springer Berlin Heidelberg, pp. 248-261, 2004.
- Kurosawa, K., & Heng, S. H., "Identity-based identification without random oracles," Computational Science and Its Applications-ICCSA 2005, Springer Berlin Heidelberg, pp. 603-613, 2005.
- Kurosawa, K., & Heng, S. H., "The power of identification schemes," Public Key Cryptography-PKC 2006, Springer Berlin Heidelberg, pp. 364-377, 2006.
- Yang, G., Chen, J., Wong, D. S., Deng, X., & Wang, D., "A new framework for the design and analysis of identity-based identification schemes," Theoretical Computer Science, 407(1), 370-388, 2008. https://doi.org/10.1016/j.tcs.2008.07.001
- Chin, J. J., Heng, S. H., & Goi, B. M., "An efficient and provable secure identity-based identification scheme in the standard model," Public Key Infrastructure, Springer Berlin Heidelberg, pp. 60-73, 2008.
- Chin, J. J., Heng, S. H., & Goi, B. M., "Hierarchical identity-based identification schemes," Security Technology, Springer Berlin Heidelberg, pp. 93-99, 2009.
- Thorncharoensri, P., Susilo, W., & Mu, Y., "Identity-based identification scheme secure against concurrent-reset attacks without random oracles," Information Security Applications, Springer Berlin Heidelberg, pp. 94-108, 2009.
- Fujioka, A., Saito, T., & Xagawa, K., "Security enhancements by OR-proof in identity-based identification," Applied Cryptography and Network Security, Springer Berlin Heidelberg, pp. 135-152, January, 2012.
- Fujioka, A., Saito, T., & Xagawa, K., "Security enhancement of identity-based identification with reversibility," Information and Communications Security, Springer Berlin Heidelberg, pp. 202-213, 2012.
- Dehkordi, M. H., & Alimoradi, R., "Certificateless identification protocols from super singular elliptic curve," Security and Communication Networks, 2013.
- Chin, J. J., Behnia, R., Heng, S. H. and Phan, R. P. C., "Cryptanalysis of a certificateless identification scheme," Security and Communication Networks, 2014.
- Chin, J. J., Heng, S. H., Phan, R. P. C & Behnia, R., "An Efficient and Provably Secure Certificateless Identification Scheme," in Proc. of Proceedings of the 10th International Conference on Security and Cryptography, SECRYPT , pp. 371-378, 2013.
- Bellare, M., & Rogaway, P., "Random oracles are practical: A paradigm for designing efficient protocols," in Proc. of Proceedings of the 1st ACM conference on Computer and communications security, ACM, pp. 62-73, December, 1993.
- Canetti, R., Goldreich, O., & Halevi, S., "The random oracle methodology, revisited," Journal of the ACM (JACM), 51(4), 557-594, 2004. https://doi.org/10.1145/1008731.1008734
- Boldyreva, A., "Threshold signatures, multisignatures and blind signatures based on the gap-Diffie-Hellman-group signature scheme," Public key cryptography-PKC 2003, Springer Berlin Heidelberg, pp. 31-46. 2002.
- Damgård, I., "Towards practical public key systems secure against chosen ciphertext attacks," Advances in Cryptology-CRYPTO'91, Springer Berlin Heidelberg, pp. 445-456, January, 1992.
- Huang, X., Mu, Y., Susilo, W., Wong, D. S., & Wu, W., "Certificateless signature revisited," Information Security and Privacy, Springer Berlin Heidelberg, pp. 308-322, January, 2007.
- Huang, X., Mu, Y., Susilo, W., Wong, D. S., & Wu, W., "Certificateless signatures: new schemes and security models," The Computer Journal, 55(4), 457-474, 2012. https://doi.org/10.1093/comjnl/bxr097
- Bellare, M., & Palacio, A., "GQ and Schnorr identification schemes: Proofs of security against impersonation under active/concurrent attacks," Advances in Cryptology-CRYPTO 2002, Springer Berlin Heidelberg, pp. 162-177, 2002.
- Tan, S. Y., Chin, J. J., Heng, S. H., & Goi, B. M., "An improved efficient provable secure identity-Based identification scheme in the standard model," KSII Transactions on Internet and Information Systems (TIIS), 7(4), 910-922, 2013. https://doi.org/10.3837/tiis.2013.04.018