225 lines
12 KiB
TeX
225 lines
12 KiB
TeX
\subsection{Canonical Identification Scheme}
|
|
|
|
A canonical identification scheme (CID), as defined in \cite{EC:AABN02}, is a protocol between two parties. The prover tries to proof the knowledge of a secret key to the verfier which only knows the public key. This is achieved by exchanging three messages between the two parties. At first the prover starts the protocol by sending a commitment $R$ to the verifier. The verifer answers with a random challenge $\ch$ from a predefined challenge set $\textbf{CHSet}$. The prover then uses the commitment, challenge and its secret key to calculate a response $s$. The verifier then can use the commitment, challenge and response together with the public key of the prover to verify the response and thereby whether the prover is actually in the possession of the private key.
|
|
|
|
\begin{definition}[CID]
|
|
A canonical identification scheme $\text{CID} = (\keygen, P, V)$ is a tuple of algorithms.
|
|
|
|
\begin{itemize}[label={}]
|
|
\item \textbf{\keygen}: The key generation algorithm, which upon receiving the schema parameter as an input outputs a matching tuple of public and private key.
|
|
\item \textbf{P}: A set of two algorithms $P_1$ and $P_2$. $P_1$ receives the private key as input and outputs a set containing the commitment and a state. $P_2$ receives as input the secret key, the commitment, the challenge and the state and outputs the response.
|
|
\item \textbf{V}: V is the verification algorithm which upon receiving the public key, the commitment, the challenge and the response outputs a bit representing whether the response is valid for the set of parameters.
|
|
\end{itemize}
|
|
|
|
For the canonical identification scheme to be correct it is required that $\forall (\pubkey, \privkey) \in \keygen(par), (R, st) \in P_1(\privkey), \ch \in \textbf{CHSet}, s \in P_2(\privkey, R, \ch, st): V(\pubkey, R, \ch, s) = 1$.
|
|
\end{definition}
|
|
|
|
\subsubsection{IMP-PA}
|
|
|
|
On security notion for a canonical identification scheme is the impersonation security against passive attackers (IMP-PA). For this security notion the adversary is tasked with impersonating the prover by outputting a valid solution $s$ for a randomly chosen challenge $\ch$ but allowing to request an arbitrary amount of valid transcripts from the challenger. The accompanying game is depicted in figure \ref{game:imp-pa}.
|
|
|
|
\begin{figure}[h]
|
|
\hrule
|
|
\begin{multicols}{2}
|
|
\normalsize
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\game $\text{IMP-PA}$}
|
|
\State $(\pubkey, \privkey) \randomassign \keygen(1^\secparamter)$
|
|
\State $s^* \randomassign \adversary{A}^{Tran, Ch(\inp)}(\pubkey)$
|
|
\State \Return $\exists (R^*, \ch^*) \in Q: V(\pubkey, R^*, \ch^*, s^*) \test 1$
|
|
\end{algorithmic}
|
|
\columnbreak
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\oracle Ch($R^*$)}
|
|
\Comment{one query}
|
|
\State $\ch^* \randomassign \textbf{CHSet}$
|
|
\State $Q \assign \{(R^*, \ch^*)\}$
|
|
\State \Return $\ch^*$
|
|
\end{algorithmic}
|
|
\end{multicols}
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\oracle Tran}
|
|
\State $(R, st) \randomassign P_1(\privkey)$
|
|
\State $\ch \randomsample \textbf{CHSet}$
|
|
\State $s \assign P_2(\privkey, R, \ch, st)$
|
|
\State \Return $(R, \ch, s)$
|
|
\end{algorithmic}
|
|
\hrule
|
|
\caption{IMP-PA Security Game}
|
|
\label{game:imp-pa}
|
|
\end{figure}
|
|
|
|
\begin{definition}[IMP-PA]
|
|
Let $\text{CID} = (\keygen, P, V)$ be a canonical signature scheme. \textit{CID} is IMP-PA secure if for all ppt adversaries $\adversary{A}$ $\advantage{\textit{CID},\adversary{A}}{\text{IMP-PA}}(\secparamter)$ is negligible in $\secparamter$.
|
|
|
|
\[ \advantage{\textit{CID},\adversary{A}}{\text{IMP-PA}}(\secparamter) \assign \prone{\text{IMP-PA}^{\adversary{A}}} \leq \epsilon \]
|
|
\end{definition}
|
|
|
|
\subsection{Digital Signature Scheme}
|
|
|
|
A digital signature scheme is a method to ensure the authenticity of data. The signer, which is in the possession of a private key, generates a signature for specific message. The verifier then is able to verify the authenticity of this data using the public key and the generated signature.
|
|
|
|
\begin{definition}
|
|
A digital signature scheme SIG = (\keygen,\sign,\verify) is a tuple of algorithms.
|
|
|
|
\begin{itemize}[label={}]
|
|
\item \textbf{\keygen}: The key generation algorithm, which upon receiving the schema parameter as input outputs a matching tuple of public and private key.
|
|
\item \textbf{\sign}: The signature algorithm, which upon receiving the secret key and the message outputs a signature for that message.
|
|
\item \textbf{\verify}: The verification algorithm, which upon receiving the public key, the message and the signature decides whether the signature is valid for the specific set of input parameters.
|
|
\end{itemize}
|
|
|
|
For the digital signature scheme to be correct it is required that $\forall (\pubkey, \privkey) \in \keygen(par), \m \in \messagespace, \signature \in \sign(\privkey, \m): \verify(\pubkey, \m, \signature) = 1$
|
|
\end{definition}
|
|
|
|
\subsubsection{\cma}
|
|
|
|
Strong Existential Unforgeability against Chosen Message Attack (\cma) is a security notion for digital signature schemes. In this game the adversary is given access to a \Osign oracle, which generates valid signatures for arbitrary messages. The adversary wins the game if he is able to provide a message signature pair which is valid and was not generated by the \Osign oracle. The security game is depicted in figure \ref{game:cma}.
|
|
|
|
\begin{definition}[\cma]
|
|
Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme. $SIG$ is \cma secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\text{\cma}}(\secparamter)$ is negligible in $\secparamter$.
|
|
|
|
\[ \advantage{SIG,\adversary{A}}{\text{\cma}}(\secparamter) \assign \prone{\text{\cma}^{\adversary{A}}} \leq \epsilon \]
|
|
\end{definition}
|
|
|
|
|
|
\begin{figure}[h]
|
|
\hrule
|
|
\begin{multicols}{2}
|
|
\normalsize
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\game $\text{\cma}$}
|
|
\State $(\pubkey, \privkey) \randomassign \keygen(1^\secparamter)$
|
|
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp)}(\pubkey)$
|
|
\State \Return $\verify(\pubkey, \m^*, \signature^*) \test 1 \wedge (\m^*, \signature^*) \notin M$
|
|
\end{algorithmic}
|
|
\columnbreak
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\oracle \Osign($\m \in \messagespace$)}
|
|
\State $\signature \randomassign \sign(\privkey, \m)$
|
|
\State $M \assign M \cup \{(\m, \signature)\}$
|
|
\State \Return $\signature$
|
|
\end{algorithmic}
|
|
\end{multicols}
|
|
\hrule
|
|
\caption{\cma Security Game}
|
|
\label{game:cma}
|
|
\end{figure}
|
|
|
|
\subsubsection{EUF-CMA}
|
|
|
|
Existential Unforgability against Chosen Message Attack (EUF-CMA) is similar to the SUF-CMA security notion. The adversary also gets access to an \Osign oracle which generates arbitrary signatures. Unlike in the SUF-CMA game the adversary wins the EUF-CMA game only if he forges a valid signature for a message that was not queries by the \Osign oracle. The security game is depicted in figure \ref{game:euf-cma}.
|
|
|
|
\begin{definition}[\cma]
|
|
Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme. $SIG$ is EUF-CMA secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\text{EUF-CMA}}(\secparamter)$ is negligible in $\secparamter$.
|
|
|
|
\[ \advantage{SIG,\adversary{A}}{\text{EUF-CMA}}(\secparamter) \assign \prone{\text{EUF-CMA}^{\adversary{A}}} \leq \epsilon \]
|
|
\end{definition}
|
|
|
|
\begin{figure}[h]
|
|
\hrule
|
|
\begin{multicols}{2}
|
|
\normalsize
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\game $\text{\cma}$}
|
|
\State $(\pubkey, \privkey) \randomassign \keygen(1^\secparamter)$
|
|
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp)}(\pubkey)$
|
|
\State \Return $\verify(\pubkey, \m^*, \signature^*) \test 1 \wedge \m^* \notin M$
|
|
\end{algorithmic}
|
|
\columnbreak
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\oracle \Osign($\m \in \messagespace$)}
|
|
\State $\signature \randomassign \sign(\privkey, \m)$
|
|
\State $M \assign M \cup \{\m\}$
|
|
\State \Return $\signature$
|
|
\end{algorithmic}
|
|
\end{multicols}
|
|
\hrule
|
|
\caption{EUF-CMA Security Game}
|
|
\label{game:euf-cma}
|
|
\end{figure}
|
|
|
|
\subsubsection{UF-NMA}
|
|
|
|
Unforgeability against No Message Attack (UF-NMA) is a security notion for digital signature schemes. The difference to the \cma game is that the adversary does not get access to an \Osign oracle, which provides it with valid signatures for arbitrary messages. Like in the \cma setting the adversary is tasked to provide a valid signature for an arbitrary message. The game is depicted in figure \ref{game:uf-nma}.
|
|
|
|
\begin{definition}[UF-NMA]
|
|
Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme. $SIG$ is UF-NMA secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\text{UF-NMA}}(\secparamter)$ is negligible in $\secparamter$.
|
|
|
|
\[ \advantage{SIG,\adversary{A}}{\text{UF-NMA}}(\secparamter) \assign \prone{\text{UF-NMA}^{\adversary{A}}} \leq \epsilon \]
|
|
\end{definition}
|
|
|
|
\begin{figure}[h]
|
|
\hrule
|
|
\vspace{1mm}
|
|
\begin{algorithmic}[1]
|
|
\State \underline{\game $\text{UF-NMA}$}
|
|
\State $(\pubkey, \privkey) \randomassign \keygen(1^\secparamter)$
|
|
\State $(\m^*, \signature^*) \randomassign \adversary{A}(\pubkey)$
|
|
\State \Return $\verify(\pubkey, \m^*, \signature^*) \test 1$
|
|
\end{algorithmic}
|
|
\hrule
|
|
\caption{UF-NMA Security Game}
|
|
\label{game:uf-nma}
|
|
\end{figure}
|
|
|
|
\subsubsection{MU-SUF-CMA}
|
|
|
|
MU-SUF-CMA is the multi-user variant of the SUF-CMA security notion. Instead of one public key the attacker gets $n$ public keys and is able to query signatures for arbitrary messages for any of the public keys. The goal of the adversary is to forge a signature for any of the public keys. The game is depicted in figure \ref{game:mu-suf-cma}.
|
|
|
|
\begin{definition}[MU-SUF-CMA]
|
|
Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $n$ be an integer. $SIG$ is n-MU-SUF-CMA secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\text{MU-SUF-CMA}}(\secparamter)$ is negligible in $\secparamter$.
|
|
|
|
\[ \advantage{SIG,\adversary{A}}{\text{MU-SUF-CMA}}(\secparamter) \assign \prone{\text{MU-SUF-CMA}^{\adversary{A}}} \leq \epsilon \]
|
|
\end{definition}
|
|
|
|
\begin{figure}[h]
|
|
\hrule
|
|
\normalsize
|
|
\vspace{1mm}
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\game $\text{MU-SUF-CMA}$}
|
|
\State \textbf{for} $i \in \{1,2,...,n\}$
|
|
\State \quad $(\pubkey_i, \privkey_i) \randomassign \keygen(1^\secparamter)$
|
|
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp, \inp)}(\pubkey_1, \pubkey_2, ..., \pubkey_n)$
|
|
\State \Return $\exists i \in \{1,2,...,n\}: \verify(\pubkey_i, \m^*, \signature^*) \test 1 \wedge (\pubkey_i, \m^*, \signature^*) \notin M$
|
|
\end{algorithmic}
|
|
\vspace{2mm}
|
|
\begin{algorithmic}[1]
|
|
\Statex \underline{\oracle \Osign($i \in \{1,2,...,n\}$, $\m \in \messagespace$)}
|
|
\State $\signature \randomassign \sign(\privkey_i, \m)$
|
|
\State $M \assign M \cup \{(\pubkey_i, \m, \signature)\}$
|
|
\State \Return $\signature$
|
|
\end{algorithmic}
|
|
\hrule
|
|
\caption{MU-SUF-CMA Security Game}
|
|
\label{game:mu-suf-cma}
|
|
\end{figure}
|
|
|
|
\subsubsection{MU-EUF-CMA}
|
|
|
|
\subsubsection{MU-UF-NMA}
|
|
|
|
MU-UF-NMA is the multi-user variant of the UF-NMA security notion. Instead of one public key the adversary gets access to $n$ public keys and has to forge a signature for any of the public keys. Unlike the MU-SUF-CMA the adversary does not get access to a signing oracle. The game is depicted in figure \ref{game:mu-uf-nma}.
|
|
|
|
\begin{definition}[MU-UF-NMA]
|
|
Let $SIG = (\keygen, \sign, \verify)$ be a digital signature scheme and $n$ be an integer. $SIG$ is n-MU-UF-NMA secure if for all ppt adversaries $\adversary{A}$ the $\advantage{SIG,\adversary{A}}{\text{MU-UF-NMA}}(\secparamter)$ is negligible in $\secparamter$.
|
|
|
|
\[ \advantage{SIG,\adversary{A}}{\text{MU-UF-NMA}}(\secparamter) \assign \prone{\text{MU-UF-NMA}^{\adversary{A}}} \leq \epsilon \]
|
|
\end{definition}
|
|
|
|
\begin{figure}[h]
|
|
\hrule
|
|
\vspace{1mm}
|
|
\begin{algorithmic}[1]
|
|
\State \underline{\game $\text{MU-UF-NMA}$}
|
|
\State \textbf{for} $i \in \{1,2,...,n\}$
|
|
\State \quad $(\pubkey_i, \privkey_i) \randomassign \keygen(1^\secparamter)$
|
|
\State $(\m^*, \signature^*) \randomassign \adversary{A}^{\sign(\inp)}(\pubkey_1, \pubkey_2, \pubkey_n)$
|
|
\State \Return $\exists i \in \{1,2,...,n\}: \verify(\pubkey_i, \m^*, \signature^*) \test 1$
|
|
\end{algorithmic}
|
|
\hrule
|
|
\caption{MU-UF-NMA Security Game}
|
|
\label{game:mu-uf-nma}
|
|
\end{figure}
|
|
|
|
\subsection{Security Assumptions} |