fuzzy identity based signature
DESCRIPTION
Fuzzy Identity Based Signature. Based on P Yang et al 2008 Kittipat Virochsiri. Introduction. What is it? Applications. What is it?. An Identity Based Signature scheme With some error tolerance A signature issued by a user with identity can be verified by another user with identity - PowerPoint PPT PresentationTRANSCRIPT
Fuzzy Identity Based Signature
Based on P Yang et al 2008
Kittipat Virochsiri
Introduction
• What is it?• Applications
An Identity Based Signature scheme
With some error tolerance A signature issued by a user with identity can
be verified by another user with identity If and are within a certain distance judged by
some metric
What is it?
Attribute-based signature Biometric identity based signature
Applications
Preliminaries
• Bilinear Pairing• Computational Diffie-Hellman
• Threshold Secret Sharing Schemes
Let and be multiplicative groups of the same
prime order Bilinear pairing is a map with following
properties: Bilinear: , where and Non-degeneracy: Computability: It is efficient to compute for all
Bilinear pairing
Computational Diffie-Hellman (CDH)
Challenger
Adversary
(g , A=ga ,B=gb )
gab∈𝔾
An adversary has at least advantage if: The computational (t,) - DH assumption holds
if no polynomial-time adversary has at least advantage in solving the game
CDH Assumption
Threshold Secret Sharing Scheme
Let:
be a finite field with elements be the secret
Assign every player with a unique field element
Set of players , where can recover secret using
Threshold Secret Sharing Scheme
Fuzzy Identity Based Signature (FIBS)
schemeConsisted of 4 steps:• Setup• Extract• Sign• Verify
FIBS schemes
Setup
Extract
Sign
Verify
1k
mk
params
ID
D ID
M
𝜎
ID ′
0/1
Security Model
Unforgeable Fuzzy Identity Based Signature against Chosen-Message Attack (UF-FIBS-CMA)
Security Model
Adversary
Setup
params𝛼
Signing
Oracle
Private Key Oracle
𝛾 i,|𝛾 i∩𝛼
∗ |<d
K𝛾 i
(M i ,𝛼 )
𝜎 i
for
’s success probability is
The fuzzy identity based signature scheme FIBS is said to be UF-FIBS-CMA secure if is negligible in the security parameter
Definition
The Scheme
0/1invalid/validID ′𝜔 ′
𝜎
D ID
S
K 𝜔
ID𝜔
mkMK
params
1k
PP
n,d
FIBS schemes
Setup
Extract
Sign
Verify
M
and are groups of the prime order Bilinear pairing is a generator of Identities are sets of elements of
Building Blocks
Choose Choose uniformly random from Let be the set
Select a random integer Select a random vector Public parameters Master key
Setup
Choose a random degree polynomial such
that Return
is a random number from defined for all
Extract
A bit string Select a random for Output
Sign
where Choose an arbitrary -element subset of Verify
Verify
Correctness check
Security Proof
Security Game
Adversary
Setup
params𝛼∗
Signing
Oracle
Private Key Oracle
𝛾 ,|𝛾∩
𝛼∗ |<d
K𝛾
(M ,𝛼∗ )
𝜎
for
(g ,ga , gb ) gabSimulator
Let be an adversary that makes at most
signature queries and produces a successful forgery against the scheme with probability in time
Then there exists an algorithm that solves the CDH problem in with probability in time
Theorem
Select a random identity Choose
A random number Random numbers in the interval Random exponents
Setup
Let and Choose
A random degree polynomial An degree polynomial such that if and only if
for from to
Setup
Answer private key query on identity
Define , ,
and
Private Key Oracle
Define private key for For
and are chosen randomly in For
Private Key Oracle
Define degree polynomial as Let For , it can be shown that
Private Key Oracle
Answer signature query on identity for some
If , then the simulator aborts Select a random set
Signing Oracle
For
is chosen randomly in For
Signing Oracle
Pick random , for Compute
Signing Oracle
For , it can be shown that
Signing Oracle
Output a valid forgery on for identity
If or , then aborts.
Producing Forgery
For some
Producing Forgery
Select a random set such that and Compute
Producing Forgery
could solve the CDH instance by outputting
The probability is
Solving CDH
Issues
• Privacy• Capture and replay
No anonymity for signer
Privacy
Only secure when forgery of identity can be
detected
Capture and replay
Conclusion
Allows identity to issue a signature that
identity can verify Provided that and are within some distance
Unforgeable against adaptively chosen message attack
Conclusion
Thank you
Question?
1. Dan Boneh and Matthew K. Franklin. Identity-based encryption from the
weil pairing. In CRYPTO ’01: Proceedings of the 21st Annual International Cryptography Conference on Advance in Cryptology, page 213-229, London, UK, 2001. Springer-Verlag.
2. Jin Li and Kwangjo Kim. Attribute-based ring signature. Cryptology ePrint Archive, Report 2008/394, 2008.
3. Amit Sahai and Brent Waters. Fuzzy Identity-Based encryption. In Advance in Cryptography – EUROCRYPT 2005, page 457-473. 2005.
4. Siamak F Shahandashti and Reihaneh Safavi-Naini. Threshold attribute-based signatures and their application to anonymous credential systems. Cryptology ePrint Archive, Report 2009/126, 2009.
5. Brent Waters. Efficient Identity-Based encryption without random oracles. In Advance in Cryptography – EUROCRYPT 2005, page 114-127. 2005.
6. Piyi Yang, Zhenfu Cao, and Xiaolei Dong. Fuzzy identity based signature. Cryptology ePrint Archive, Report 2008/002, 2008.
References