Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe...
-
date post
20-Dec-2015 -
Category
Documents
-
view
213 -
download
0
Transcript of Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe...
Proactive Secure Mobile Digital Signatures
Work in progress.
Ivan Damgård and Gert Læssøe MikkelsenUniversity of Aarhus.
Outline
• Motivation
• Revised Definition of Security
• Protocol Securely Realizing our definition
• Proof of Security
• Proactive Security
Motivation for mobility
• We want Alice to be able to use any computer.
• No or low trust in the computer used.
• No key material on the computer used.
Outline
• Motivation
• Revised Definition of Security
• Protocol Securely Realizing our definition
• Proof of Security
• Proactive Security
Definition of Security
• Using the Universal Composability framework
• Ideal world: Definition of the security
• Real world: Our protocol
• Prove by simulation some equavalense between the two worlds
Intuition behind FSIG
• The simulator generates keys– This makes FSIG general and not related to the
specific algorithms.
• FSIG is acting like a storage:– Signing: Messages get recorded.– Verification: If the message has been
recorded then it is accepted.
• If the signer (Alices computer) is corrupted everything can be verified.
FM-SIG: Revised Edition of FSIG
• We want the human user “U” to decide if a message should be signed and thereby verified.
Outline
• Motivation
• Revised Definition of Security
• Protocol Securely Realizing FM-SIG
• Proof of Security
• Proactive Security
1’st approach
• Assume that the adversary at most controls one of {MD,T,S}
• Use RSA signatures• Additive secret share the users private
exponent: d = d1 + d2
• Assume that keys are set up beforehand.
2’nd approach
Why 2’nd:– We implemented it.– It was a bit slow.
• Assume that the mobile device has limited computational power (No exponentiation)
• We want to give privacy back to the user. – This one is easy: RSA signatures already use
hashing, so just send the has to the server.
mU
m
dMD dS
K K
m pwd
m
m ok
δMD
δMD= dMD + FK(H(m))
σMD, H(m), pwd
σS
σMD= H(m) mod NδMD σS= H(m) mod N
dS-FK(H(m))
σ = σMD × σS mod N = H(m) mod NdMD + FK(H(m)) + dS - FK(H(m))
Outline
• Motivation
• Revised Definition of Security
• Protocol Securely Realizing our definition
• Proof of Security
• Proactive Security
Sketch of security proof
• Reduction R: If an adversary A can break our protocol, then R can use A to break standard RSA signatures.
• Given:– a RSA-oracle O, which provide a public key, and will
sign message.– an Adversary, that can break the security of our
protocol.
• R produces a signature on a message, never sent to O.
Sketch of reduction
• Flip coin c: – 0: Guess A will corrupt S
• dS = random number mod n• Simulate: σMD from σ, m and dS
– Calculate σS – σMD = σ × σS
-1 mod n
– 1: Guess A will corrupt MD or T• dMD = random number mod n• Simulate: σS from σ, m and dMD
– Calculate δMD and σMD
– σS = σ × σMD-1 mod n
• If the guess was wrong: “Bad luck”, but only polynomial “bad luck”
Outline
• Motivation
• Revised Definition of Security
• Protocol Securely Realizing our definition
• Proof of Security
• Proactive Security
Proactive security
• Corrupted parties, can recover• Nice property in our protocol.
• Changes to the protocol:– Assume deletion is possible on MD and S.– Assume all parties are honest during recovery – User U has a Paillier secret key.– The server S has d encrypted under the
Paillier public key.
Proactive security (Sketch)
• Recover the computer T:– Make a new password pwd
• Recover MD or S:– MD and S, deletes dMD and dS
– S selects random dS and uses the homomorphic property of Paillier to make an encryption of a new dMD
– Send the encryption of dMD to MD.
Sketch of security proof
• We cannot just make a guess, like in the non-proactive case.– Not a polynomial reduction
• Solution: Rewind A– But: m, that A can sign by itself may have been send to O before
rewinding. • Solution: A is polynomial => m would be send to O at
polynomial time after a rewind, and A would be rewinded in this particular run. Try to guess and rewind before m would have been send to O
• Similar to proof by [ADN06]• Tighter reduction is possible, requires more complex
protocol.