nach oben

International Journal of Information Security

Erschienen in:

30.03.2016 | Regular Contribution

Linkable message tagging: solving the key distribution problem of signature schemes

verfasst von: Felix Günther, Bertram Poettering

Erschienen in: International Journal of Information Security | Ausgabe 3/2017

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Digital signatures guarantee practical security only if the corresponding verification keys are distributed authentically; however, arguably, satisfying solutions for the latter have not been found yet. This paper introduces a novel approach for cryptographic message authentication where this problem does not arise: A linkable message tagging scheme (LMT) identifies pairs of messages and accompanying authentication tags as related if and only if these tags were created using the same secret key. Importantly, our primitive fully avoids public keys and hence elegantly sidesteps the key distribution problem of signature schemes. As an application of LMT we envision an email authentication system with minimal user interaction. Email clients could routinely equip all outgoing messages with corresponding tags and verify for incoming messages whether they indeed originate from the same entity as previously or subsequently received messages with identical sender address. As technical contributions we formalize the notions of LMT and its (more efficient) variant CMT (classifiable message tagging), including corresponding notions of unforgeability. For both variants we propose a range of provably secure constructions, basing on different hardness assumptions, with and without requiring random oracles. This article extends prior work of the same authors that appeared in the proceedings of ACISP 2015 (Günther and Poettering in 2015).

Vorheriger Artikel A key management scheme evaluation using Markov processes

Nächster Artikel Efficient identity-based online/offline encryption and signcryption with short ciphertext

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

We note that recently introduced techniques like Certificate Transparency [32] do not resolve the described issues, but aim at making deficits visible.

Note that the \(\mathsf {BLS}\) signature scheme can be seen as the result of applying this technique to the LMT scheme \(\mathsf {BLS\text { -}{}LMT}\). The reference tag is \(X=g^x\) and (virtually) corresponds to a message in \(H^{-1}(g)\).

Note that, in a different context, a similar approach is discussed by Katz [30, Section 2.4.2]. However, our construction is more efficient than his as our signatures do not need to explicitly carry the verification key.

Although the statement proved by Pointcheval and Stern [41] considers only \({\mathsf {euf\text { -}{}cma}}\) security, their results can readily be extended to also cover the \({\mathsf {suf}\text {-}\mathsf {cma}}\) notion.

Available under a free license at http://bench.cr.yp.to/supercop.html.

Observe that inverting \(\varphi \) would be possible if the index of \(\mathbb {G}\) in \(\mathbb {Z}_p^*\) was small (e.g., in the ‘safe prime’ setting where \(p=2q+1\)); however, the \(\mathsf {DSA}\) standard requires \(|\mathbb {Z}_p^*|/|\mathbb {G}|\) to be large (e.g., \(|\mathbb {Z}_p^*|\approx 2^{1024}\) and \(|\mathbb {G}|\approx 2^{160}\)).

A similar technique is proposed in [11, Section 4.1.6].

Al-Riyami, S.S., Paterson, K.G.: Certificateless public key cryptography. In: Laih, C.S. (Ed.) ASIACRYPT 2003, LNCS, vol. 2894, pp. 452–473. Springer, Berlin (2003)

American National Standard for Financial Services: Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA) (ANS X9.62-2005) (2005)

Atkins, D., Stallings, W., Zimmermann, P.: PGP Message Exchange Formats. RFC 1991 (Informational) (1996). http://www.ietf.org/rfc/rfc1991.txt, obsoleted by RFC 4880

Balfanz, D., Smetters, D.K., Stewart, P., Wong, H.C.: Talking to strangers: Authentication in ad-hoc wireless networks. In: NDSS 2002. The Internet Society (2002)

Bassham, L., Polk, W., Housley, R.: Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 3279 (Proposed Standard) (2002). http://www.ietf.org/rfc/rfc3279.txt, updated by RFCs 4055, 4491, 5480, 5758

Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.Y.: High-speed high-security signatures. In: Preneel, B., Takagi, T. (Eds.) CHES 2011, LNCS, vol. 6917, pp. 124–142. Springer, Berlin (2011)

Blake-Wilson, S., Menezes, A.: Unknown key-share attacks on the station-to-station (STS) protocol. In: Imai, H., Zheng, Y. (Eds.) PKC’99 LNCS, vol. 1560, pp. 154–170. Springer, Berlin (1999)

Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J. (Eds.) EUROCRYPT 2004, LNCS, vol. 3027, pp. 56–73. Springer, Berlin (2004)

Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (Ed.) ASIACRYPT 2001, LNCS, vol. 2248, pp. 514–532. Springer, Berlin (2001)

10.

Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. J. Cryptol. 17(4), 297–319 (2004)MathSciNetCrossRefMATH

11.

Brown, D.: Certicom Research, Standards for Efficient Cryptography Group (SECG)—SEC 1: Elliptic Curve Cryptography (2009). http://www.secg.org/download/aid-780/sec1-v2.pdf, version 2.0

12.

Brown, D.R.L.: Generic groups, collision resistance, and ECDSA. Des. Codes Cryptogr. 35(1), 119–152 (2005)MathSciNetCrossRefMATH

13.

Callas, J., Donnerhacke, L., Finney, H., Shaw, D., Thayer, R.: OpenPGP Message Format. RFC 4880 (Proposed Standard) (2007). http://www.ietf.org/rfc/rfc4880.txt, updated by RFC 5581

14.

Callas, J., Donnerhacke, L., Finney, H., Thayer, R.: OpenPGP Message Format. RFC 2440 (Proposed Standard) (1998). http://www.ietf.org/rfc/rfc2440.txt, obsoleted by RFC 4880

15.

Dang, Q., Santesson, S., Moriarty, K., Brown, D., Polk, T.: Internet X.509 Public Key Infrastructure: Additional Algorithms and Identifiers for DSA and ECDSA. RFC 5758 (Proposed Standard) (2010). http://www.ietf.org/rfc/rfc5758.txt

16.

Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)MathSciNetCrossRefMATH

17.

Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (Ed.) CRYPTO’86, LNCS, vol. 263, pp. 186–194. Springer, Berlin (1987)

18.

Fox-IT: Black Tulip—Report of the Investigation into the DigiNotar Certificate Authority Breach (2012). http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/rapporten/2012/08/13/black-tulip-update/black-tulip-update.pdf

19.

Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)MathSciNetCrossRefMATH

20.

Goldwasser, S., Micali, S., Rivest, R.L.: A “paradoxical” solution to the signature problem (abstract) (impromptu talk). In: Blakley, G.R., Chaum, D. (Eds.) CRYPTO’84, LNCS, vol. 196, p. 467. Springer, Berlin (1985)

21.

Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)MathSciNetCrossRefMATH

22.

Google Online Security Blog: Maintaining Digital Certificate Security (2014). http://googleonlinesecurity.blogspot.de/2014/07/maintaining-digital-certificate-security.html

23.

Guillou, L.C., Quisquater, J.J.: A “paradoxical” indentity-based signature scheme resulting from zero-knowledge. In: Goldwasser, S. (Ed.) CRYPTO’88, LNCS, vol. 403, pp. 216–231. Springer, Berlin (1990)

24.

Günther, F., Poettering, B.: Linkable Message Tagging: Solving the Key Distribution Problem of Signature Schemes. In: Foo, E., Stebila, D. (Eds.) Information Security and Privacy, 20th Australasian Conference (ACISP 2015), LNCS, vol. 9144, pp. 195–212. Springer, Berlin (2015)

25.

Housley, R.: Cryptographic Message Syntax (CMS). RFC 3369 (Proposed Standard) (2002). http://www.ietf.org/rfc/rfc3369.txt, obsoleted by RFC 3852

26.

Housley, R.: Cryptographic Message Syntax (CMS). RFC 3852 (Proposed Standard) (2004). http://www.ietf.org/rfc/rfc3852.txt, obsoleted by RFC 5652, updated by RFCs 4853, 5083

27.

Housley, R.: Cryptographic Message Syntax (CMS). RFC 5652 (INTERNET STANDARD) (2009). http://www.ietf.org/rfc/rfc5652.txt

28.

Jonsson, J., Kaliski, B.: Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1. RFC 3447 (Informational) (2003). http://www.ietf.org/rfc/rfc3447.txt

29.

Kaliski, B.: PKCS #7: Cryptographic Message Syntax Version 1.5. RFC 2315 (Informational) (1998). http://www.ietf.org/rfc/rfc2315.txt

30.

Katz, J.: Digital Signatures. Springer, Berlin (2010); iSBN 978-0387277110

31.

Koblitz, N., Menezes, A.: Another look at security definitions. Adv. Math. Commun. 7(1), 1–38 (2013)MathSciNetCrossRefMATH

32.

Laurie, B., Langley, A., Kasper, E.: Certificate Transparency. RFC 6962 (Experimental) (2013). http://www.ietf.org/rfc/rfc6962.txt

33.

Leontiev, S., Shefanovski, D.: Using the GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 Algorithms with the Internet X.509 Public Key Infrastructure Certificate and CRL Profile. RFC 4491 (Proposed Standard) (2006). http://www.ietf.org/rfc/rfc4491.txt

34.

Mashatan, A., Vaudenay, S.: A message recognition protocol based on standard assumptions. In: Zhou, J., Yung, M. (Eds.) ACNS 10 LNCS, vol. 6123, pp. 384–401. Springer, Berlin (2010)

35.

Menezes, A., Smart, N.P.: Security of signature schemes in a multi-user setting. Des. Codes Cryptogr. 33(3), 261–274 (2004)MathSciNetCrossRefMATH

36.

Micali, S.: A Secure and Efficient Digital Signature Algorithm. Technical Memo MIT/LCS/TM-501b, Massachusetts Institute of Technology, Laboratory for Computer Science (1994)

37.

National Institute of Standards and Technology: Digital Signature Standard (DSS) (FIPS PUB 186-4) (2013)

38.

Ong, H., Schnorr, C.P.: Fast signature generation with a Fiat–Shamir-like scheme. In: Damgård, I. (Ed.) EUROCRYPT’90, LNCS, vol. 473, pp. 432–440. Springer, Berlin (1990)

39.

OpenSSL Project: Open Source Secure Sockets Layer and Transport Layer Security Implementation. http://www.openssl.org

40.

Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: Maurer, U.M. (Ed.) EUROCRYPT’96, LNCS, vol. 1070, pp. 387–398. Springer, Berlin (1996)

41.

Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361–396 (2000)CrossRefMATH

42.

Ramsdell, B.: Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification. RFC 3851 (Proposed Standard) (2004). http://www.ietf.org/rfc/rfc3851.txt, obsoleted by RFC 5751

43.

Ramsdell, B., Turner, S.: Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Message Specification. RFC 5751 (Proposed Standard) (2010). http://www.ietf.org/rfc/rfc5751.txt

44.

Schaad, J., Kaliski, B., Housley, R.: Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 4055 (Proposed Standard) (2005). http://www.ietf.org/rfc/rfc4055.txt, updated by RFC 5756

45.

Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (Ed.) CRYPTO’89, LNCS, vol. 435, pp. 239–252. Springer, Berlin (1990)

46.

Schnorr, C.P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991)CrossRefMATH

47.

Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakley, G.R., Chaum, D. (Eds.) CRYPTO’84, LNCS, vol. 196, pp. 47–53. Springer, Berlin (1985)

48.

TURKTRUST Information Security Services Inc.: Public Announcements (2013). http://turktrust.com.tr/en/kamuoyu-aciklamasi-en.html

49.

Waters, B.R.: Efficient identity-based encryption without random oracles. In: Cramer, R. (Ed.) EUROCRYPT 2005, LNCS, vol. 3494, pp. 114–127. Springer, Berlin (2005)

50.

Weimerskirch, A., Westhoff, D.: Zero common-knowledge authentication for pervasive networks. In: Matsui, M., Zuccherato, R.J. (Eds.) SAC 2003, LNCS, vol. 3006, pp. 73–87. Springer, Berlin (2004)

51.

Whitten, A., Tygar, J.D.: Why Johnny can’t encrypt: a usability evaluation of PGP 5.0. In: Proceedings of the 8th Conference on USENIX Security Symposium—Volume 8 (SSYM’990), pp. 14. USENIX Association, Berkeley, CA, USA (1999). http://dl.acm.org/citation.cfm?id=1251421.1251435

Titel: Linkable message tagging: solving the key distribution problem of signature schemes
verfasst von: Felix Günther
Bertram Poettering
Publikationsdatum: 30.03.2016
Verlag: Springer Berlin Heidelberg
Erschienen in: International Journal of Information Security / Ausgabe 3/2017
Print ISSN: 1615-5262
Elektronische ISSN: 1615-5270
DOI: https://doi.org/10.1007/s10207-016-0327-z

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 3/2017

A key management scheme evaluation using Markov processes

A certificateless approach to onion routing

Efficient identity-based online/offline encryption and signcryption with short ciphertext

Making random permutations from physically unclonable constants

Broadcast anonymous routing (BAR): scalable real-time anonymous communication

Entropy analysis to classify unknown packing algorithms for malware detection

Premium Partner