On the security of a modified Beth identity-based identification scheme

Information Processing Letters 113 (2013) 580–583

Contents lists available at SciVerse ScienceDirect

Information Processing Letters www.elsevier.com/locate/ipl

On the security of a modified Beth identity-based identification scheme Ji-Jian Chin a,∗ , Syh-Yuan Tan b , Swee-Huay Heng b , Raphael C.-W. Phan a a b

Faculty of Engineering, Multimedia University, 63100 Cyberjaya, Selangor, Malaysia Faculty of Information Science and Technology, Multimedia University, Jalan Ayer Keroh, 75450 Melaka, Malaysia

a r t i c l e

i n f o

Article history: Received 8 April 2013 Received in revised form 30 April 2013 Accepted 30 April 2013 Available online 6 May 2013 Communicated by D. Pointcheval Keywords: Cryptography Identity-based identification Beth-IBI Cryptanalysis Proof of security

a b s t r a c t In their seminal work for identity-based identification (IBI) schemes in 2004, Bellare et al. left open the question of whether the Beth identification scheme, and consequently the derived IBI scheme, can be proven secure against active and concurrent attackers. In 2008, Crescenzo answered the question in the positive by presenting a modified version of the Beth identification scheme as well as the corresponding derived IBI scheme. In this paper, we show that while the modified version of the Beth identification scheme proposed by Crescenzo is secure, an attack exists on the corresponding Beth-IBI scheme. © 2013 Elsevier B.V. All rights reserved.

1. Introduction An identification scheme is a cryptographic primitive that allows a prover to prove knowledge of his secret key to any interested party with the latter learning nothing about the prover’s secret upon completion of their interaction. Standard identification schemes rely on the use of certificates, giving rise to the certificate management problem when the number of users grows to large numbers. Identity-based cryptography introduced by Shamir in [1] circumvents this problem by allowing a user to implicitly certify himself through the use of his identity-string in the key generation process. Identity-based identification (IBI) schemes were first proposed and rigorously defined in 2004 independently by Kurosawa and Heng [2] and Bellare et al. [3]. In the latter work, the authors showed that any standard identification scheme defined by a trapdoor sampleable relation can be transformed into an identity-based one. The authors then proceeded to show a large class of IBI schemes captured

*

Corresponding author. Tel.: +60 3 83125475. E-mail address: [email protected] (J.-J. Chin).

0020-0190/$ – see front matter © 2013 Elsevier B.V. All rights reserved. http://dx.doi.org/10.1016/j.ipl.2013.04.015

by their transformation, classifying them by their family of intractable mathematical problems. However, the only scheme that is convertible in the discrete-logarithm family is the Beth identification scheme that first appeared in [4] without any security proof. Bellare et al. [3] also only managed to provide proof of security against impersonation under passive attacks, leaving open the question of whether the Beth identification scheme is secure against active and concurrent attacks. In 2008, Crescenzo answered this open question in the positive [5], showing that with a small modification of the proposed Beth standard identification scheme by Bellare et al. [3] (which we will refer to as Beth-SI-0 in this paper), a reduction showing security against active and concurrent attacks can be achieved. In the same paper, the authors also provided the corresponding Beth-IBI scheme derived from their standard identification scheme and claimed that security against active and concurrent attackers is also inherited. In this paper, we show that this is not the case. While Crescenzo’s modified Beth standard identification scheme [5] (which we will refer to as Beth-SI-1 in this paper) is secure, we show a problem in their described

J.-J. Chin et al. / Information Processing Letters 113 (2013) 580–583

modified Beth-IBI scheme which allows the attacker to gain access to even the master secret key. The rest of the paper is partitioned as follows: In Section 2, we provide some preliminaries, such as the hard problems, assumptions and definition for IBI schemes. In Section 3, we first provide a review of the modified BethIBI scheme from [5] and demonstrate the attack on it in Section 4. We follow up with some discussion about the attack in Section 5 and conclude in Section 6. 2. Identity-based identification schemes An IBI scheme consists of four probabilistic polynomial time algorithms (Setup S, Extract E, Prover P and Verifier V) 1. Setup S: S takes in the security parameter 1k , publishes the master public key mpk and stores the master secret key msk. 2. Extract E: E takes in an identity-string ID and msk, and generates the corresponding user secret key usk. 3. Identification protocol (Prover P and Verifier V): Upon P receiving mpk, ID and usk as input and V receiving mpk and ID, the two will run an interactive protocol consisting of the following steps where V will decide whether to accept or reject P after the interaction: (a) Commitment: P sends a commitment CMT to V. (b) Challenge: V sends a challenge CHA randomly chosen from a predefined challenge set to P. (c) Response: P returns a response RST where V will either accept or reject based on the response. The goal of an adversary towards an IBI scheme is impersonation while the capabilities of an adversary are categorized as follows: 1. Passive attacker: only eavesdrops on conversations between honest provers and verifiers to extract information from their conversation transcripts. 2. Active attacker: able to interact with honest provers as a cheating verifier to learn information. 3. Concurrent attacker: similar to the active attacker except that it is able to interact with several prover instances simultaneously. For IBI schemes, an adversary is required to choose a public identity of his choice as opposed to random public keys from standard identification schemes. It is also assumed that the adversary obtained some user secret keys of other users and therefore the definition allows access to user secret keys associated with any identity except the one being attacked. Security of an IBI scheme can be described as an impersonator I and a challenger C playing a two-phased game as defined below:

• Setup. C takes input 1k , runs Setup and gives the parameters to I . It keeps the master secret key to itself.

• Phase 1. In this Phase 1, I can issue extract queries and identification queries adaptively to C . For the passive attacker, C responds with conversation transcripts of honest parties, while for the active and concurrent

581

attackers, C will simulate the prover while I acts as the cheating verifier. • Phase 2. Eventually I outputs a challenge identity ID∗ on that it intends to impersonate. I now changes roles and acts as the cheating prover trying to convince the verifier C , utilizing the information gathered in Phase 1. I wins the game if it is successful in convincing C with non-negligible probability. We say an IBI scheme is (t IBI , qIBI , εIBI )-secure under passive/active/concurrent attacks if for any passive/active/concurrent impersonator I who runs in time t IBI , Pr[I can impersonate]  εIBI where I can make at most qIBI Extract queries. 3. Reviewing Crescenzo’s modified Beth identity-based identification scheme (Beth-IBI-1) Next, we review Crescenzo’s modified Beth-IBI scheme in [5], which the author designated as Beth-IBI-1. We note that some definitions from [5] do not conform to the definitions given in [3] and [2]. One such example is defining H as a random oracle instead of a hash function and keeping it secret instead of publishing it. It would not be possible for the verifier to obtain the value of h = H (ID) if this is the case since h is not transferred anywhere in the protocol. However, it is assumed that the verifier is able to get hold of the value of h by some means that is not described. We direct the interested reader to [5]’s Fig. 4 for the original description of Beth-IBI-1. In our review, we conform [5]’s scheme to follow IBI definitions from Bellare et al.’s work [3] and Kurosawa and Heng’s work [2] where H is treated as a hash function in the real IBI scheme and as a random oracle only in the security simulation, and its value is known to every party, honest and malicious alike, as according to the definition of random oracles in [6]. We also follow [1]’s convention in that ID strings as well as their hash values are available to all, since anyone will be able to calculate the hash value of ID if H is publicly known. This will also be a vital point for the verifier to obtain the value of h = H (ID) in its verification check during the protocol. $

1. Setup S. Select a generator g ← G, random secrets $

x, r ← Zq and compute R = g r and X = g x . Choose a hash function H : {0, 1}∗ → Zq . The master public key mpk = G , q, g , X , R , H  while the master secret key is msk = x, r . (Here we remove pk from msk since there is no definition for it.) 2. Extract E. Compute h = H (ID) ∈ Zq where ID is the user’s identity-string. Calculate s = r −1 (h − Rx). The user secret key can then be constructed as usk = s (we remove the terms mpk, ID, h as part of usk since these terms should be publicly known). 3. Identification protocol. Prover P and Verifier V will do the following: $

(a) P chooses a random y ← Zq , computes Y = R − y and sends Y to V.

582

J.-J. Chin et al. / Information Processing Letters 113 (2013) 580–583 $

(b) V picks a random challenge c ← Zq and sends it to P. (c) P calculates z = y + cs and sends z as a response to V. V calculates h = H (ID) and accepts if g ch = R z Y X c R . Correctness ensues since: −1 R z Y X c R = g r y +rcs g −r y g xc R = g rc (r (h−xR ))+xc R

= g ch−xc R +xc R = g ch Lastly, we remark that [5] did not provide proof of security for the Beth-IBI-1 scheme but only for the Beth-SI-1 scheme. The Beth-SI-1 scheme is modified from the original Beth-SI-0 scheme defined by [3] by letting R to be a public value instead of a user-generated one. By doing so, the author manages to prove security against active and concurrent attacks. For the reader’s information, [3] defined Beth-SI-0 in their seminal work and only provided proof of security against passive attackers, leaving the question of whether Beth-SI-0 and Beth-IBI-0 is secure against active and concurrent attackers. Crescenzo followed Bellare et al.’s claims in [3] that the security against active and concurrent attackers of Beth-IBI-1 is inherited from Beth-SI-1. However, in the following subsection we show that this is not the case by presenting an attack on the Beth-IBI-1 scheme as defined above. We note that the Beth-SI-1 scheme remains secure and will explain why in Section 5. 4. Attack on Beth-IBI-1 In this section, we show how an attacker can reveal the master secret key msk with only two hash queries and two Extract queries. This is logical according to the definition of the security game played by the impersonator and challenger as defined in Section 2. An attacker selects two identities to corrupt, ID1 and ID2 and obtains h1 = H (ID1 ) and h2 = H (ID2 ) through the random oracle. He then makes two queries to the Extract oracle to obtain usk1 = s1 = r −1 (h1 − xR ) and usk2 = s2 = r −1 (h2 − xR ). With these values, he can obtain r by calculating

h1 − h2 s1 − s2

= = = =

h1 − h2 r −1 (h1 − xR ) − r −1 (h2 − xR ) h1 − h2 r −1 h1 − r −1 xR − r −1 h2 + r −1 xR h1 − h2 r −1 (h1 − h2 ) 1 r −1

=r

(1)

This enables an adversary with access to two user secret keys, or any two users conspiring together using their own secret keys, to compare the difference of the keys and retrieve master secret key components embedded within the secret keys. Furthermore, the keys are related by the shared master public key that is similar for every user. Sound practice for designing discrete-logarithm IBI schemes, as according to schemes like the Okamoto-IBI and the BNN-IBI scheme found in [3], has fresh coins generated by Extract. In the case of Beth-IBI-1, it makes sense to move the generation of a new r for each new user signup from Setup to Extract. However, doing so will reveal the Beth-IBI-0 scheme proposed in [3], in which it is difficult to simulate the inversion of r of the interactive protocol for the challenge identity at the request of the adversary. This is the reason why Beth-IBI-0’s security against active and concurrent adversaries remains an open problem to this day. It seems there is no easy fix to the problem in sight. However, the same attack does not apply to the BethSI-1 scheme due to it having a different architecture from Beth-IBI-1. For standard identification schemes, a fresh public/private key pair is generated for each user, therefore each user has a different set of public/private keys that are not related to each other. An adversary cannot compare the difference of user key values because fresh x and r values are computed for each new user. This is in contrast to IBI schemes where all users share the same set of parameters set in the master public key, so without fresh randomness injected into the generation for each user’s secret key an adversary can calculate the difference to reveal the master secret key if he manages to obtain two user secret keys, as in the case of the attack above. Therefore, Beth-SI-1 scheme remains secure. 6. Conclusion In this paper, we presented a review of Crescenzo’s Beth-IBI-1 scheme and showed an attack on the user secret key generation sequence of the scheme that reveals the master secret key. The security of Beth-IBI against active and concurrent attack is still an open problem to be solved.

(2) Acknowledgements

(3) (4) (5)

With the value of r, the attacker can go on to solve for x, thus obtaining both of msk = x, r  component’s values. 5. Discussion The reason this attack works is because no fresh coins are injected into Extract each time a new user signs up.

The authors would like to thank the Exploratory Research Grant Scheme ERGS/1/2011/PK/MMU/03/1 for supporting this research. The first and second authors would also like to thank their host, Dr Geong-Sen Poh at MIMOS for hosting them for their once a week industrial attachment, during which was when this paper was written due to the insightful discussions held there. References [1] A. Shamir, Identity-based cryptosystems and signature schemes, in: G.R. Blakley, D. Chaum (Eds.), CRYPTO, in: Lecture Notes in Computer Science, vol. 196, Springer, 1984, pp. 47–53.

J.-J. Chin et al. / Information Processing Letters 113 (2013) 580–583

[2] K. Kurosawa, S.-H. Heng, From digital signature to id-based identification/signature, in: F. Bao, R.H. Deng, J. Zhou (Eds.), Public Key Cryptography, in: Lecture Notes in Computer Science, vol. 2947, Springer, 2004, pp. 248–261. [3] M. Bellare, C. Namprempre, G. Neven, Security proofs for identitybased identification and signature schemes, in: C. Cachin, J. Camenisch (Eds.), EUROCRYPT, in: Lecture Notes in Computer Science, vol. 3027, Springer, 2004, pp. 268–286. [4] T. Beth, Efficient zero-knowledge identification scheme for smart cards, in: C.G. Günther (Ed.), EUROCRYPT, in: Lec-

583

ture Notes in Computer Science, vol. 330, Springer, 1988, pp. 77–84. [5] G.D. Crescenzo, On the security of Beth’s identification schemes against active and concurrent adversaries, in: J. Calmet, W. Geiselmann, J. Müller-Quade (Eds.), MMICS, in: Lecture Notes in Computer Science, vol. 5393, Springer, 2008, pp. 1–17. [6] M. Bellare, P. Rogaway, Random oracles are practical: A paradigm for designing efficient protocols, in: D.E. Denning, R. Pyle, R. Ganesan, R.S. Sandhu, V. Ashby (Eds.), ACM Conference on Computer and Communications Security, ACM, 1993, pp. 62–73.