Information-Theoretically Secure Key-Insulated

Africacrypt 2010, May 4, 2010

Information-Theoretically Secure Key-Insulated Multireceiver Authentication Codes ○Takenobu Seito Tadashi Aikawa Junji Shikata Tsutomu Matsumoto Yokohama National University, Japan 1

Overview  Introduction.  Information-theoretically secure Key-Insulated Multireceiver Authentication Codes(KI-MRA). - Model. - Security Notions and Their formalization. - Lower Bounds. - Direct/Generic Constructions. ■ Conclusion.

2

3

Introduction When long-term use of computationally secure cryptographic techniques (e.g. public-key encryption, digital signatures) is considered, there are two problems: I. Computationally secure schemes might not maintain sufficient long-term security because of recent rapid development of algorithms and computer technologies. Solution： Information-Theoretically secure scheme This scheme guarantees long-term security. II. One of the most serious threats in cryptographic protocols is exposure of secret-keys (i.e. exposure of secret-keys leads to a total break of the system).

Solution： Key-Insulated Scheme [Dodis et al. 02, 03] This scheme minimizes the risk of period 1 period 2 period 3 period 4 ○ ○ ・・・ × × key-exposure. Update of secret-keys

4

Our Study Our research topic is “authentication/signature schemes which have both information-theoretic and key-insulated security”. Especially... We propose Information-Theoretically Secure Key-Insulated Multireceiver Authentication codes（KI-MRA）.

Key-Insulated Security

Computational Security

Information-Theoretic Security

Confidentiality

[Dodis et al. 02]

[Hanaoka et al. 04]

Authenticity

[Dodis et al. 03]

Our Research

Fig. The area of our research.

Key-Insulated Signature Schemes[Dodis et al. 03] (physically-protected) secure device

Secure against signing-key exposure or master-key exposure

master-key key-update information

insecure device verify signed message

old singing-key

update signing-key signer

signed message

verification-key verifier

5

Ｍｕｌｔｉreceiver Authentication codes(MRA-codes)

6

■ One of the information-theoretically secure authentication schemes proposed by Desmedt et al. ［Desmedt et al. 92］. :broadcast channel Authenticated message

Each receiver can individually verify the authenticated message. receiver R1

sender S S can transmit an authenticated message to a group of receivers.

・・ ・ receiver Rn

We focus on this scheme and propose Key-Insulated Multireceiver Authentication codes （KI-MRA）.

7

KI-MRA -Model1. Key Generation and Distribution by TI.

KGen

:secure channel

ＴＩ：trusted Initializer mk

es(0)

en e1 receiver Rn

(physically-protected) secure device H sender S

receiver R1

Assumption: Lifetime of the system is divided into N periods. ・ ・ ・ ・

KGen is a key generation algorithm. mk is a master-key. es(0) is an initial secret-key for the sender S. ei is a secret-key for Ri（It will not be updated at each period).

8

KI-MRA -Model2. Updating sender’s secret-keys for a period j from a period h. :secure channel

mk(h,j)=KUpd*（mk,h,j） mk(h,j)

mk device H

・ ・ ・ ・

es(j)=KUpd（es(h),mk(h,j)）

es(h) sender S

KUpd* is a key-updating algorithm for the device H. Kupd is a key-updating algorithm for the sender S. h∈｛0, 1, ..., N｝, j∈｛1, 2, ..., N｝. mk(h,j) is key-updating information.

9

KI-MRA -Model3. Authentication / Verification at the period j. :broadcast channel

α=KAuth（es(j),m）

KVer（ei,α,j）=true/ false receiver R1

(α,j)

・・ ・

es(j) sender S

(α,j)

e1

receiver Rn

en

We consider the one-time model, in which the sender is allowed to generate and broadcast an authenticated message at most only once per period.

・ ・ ・ ・

KAuth is an authentication algorithm. KVer is a verification algorithm. m is a message. α is an authenticated message.

10

KI-MRA –Attacking ModelThe adversary can corrupt at most ω dishonest receviers.

・・・

adversary

dishonest receivers We consider the following two types of exposure:

Type A

Type B

At most γ sender’s secret-keys are exposed from the insecure device.

The master-key is exposed from the secure device. (It means the device is robbed).

period1 period 2 ・・・ period N

es(1)

es(2)

es(N) mk

adversary

adversary

11

KI-MRA –Attacking ModelImpersonation Attack

accept!

t: target period

The adversary tries to generate an illegal authenticated message at a (α,j) period t, that has not been legally receiver Ri sender S generated by S but will be accepted by Ri. adversary Gathered key-information

Substitution Attack

(α,j) sender S adversary

accept!

t: target period

After observing a valid authenticated message, the adversary tries to receiver Ri generate an illegal authenticated message at a period t, that has not (α’,j) been legally generated by S but will be accepted by Ri. Gathered key-information

12

KI-MRA –Security NotionsDefinition. KI-MRA Π is called (n,ω；N,γ;εA,εB)-one-time secure if the following conditions are satisfied. max(PΠ,IA, PΠ,SA)  εＡ， max(PΠ,IB, PΠ,SB)  εＢ -

n is the number of receivers. ω is the number of dishonest receivers. N is the totality of periods. γ is the number of period at which sender’s secret-keys may be exposed. Impersonation Attack

Substitution Attack

Type A

PΠ,IA

PΠ,SA

Type B

PΠ,IB

PΠ,SB

Fig. The combination between attacks and key-exposure types.

13

KI-MRA -Lower BoundsTheorem.

Lower bounds of success probabilities of attacks PΠ,IA, PΠ,SA, PΠ,IB, PΠ,SB are as follows.

P , I A ( Ri , W , , t )  2

 I ( A( t ) ; Ei( t ) | EW , E )

P , S A ( Ri , W , , t )  2 P , I B ( Ri , W , t )  2

~  I ( A ( t ) ; Ei( t ) | EW , E , A( t ) )

 I ( A( t ) ; Ei( t ) | EW , MK )

P , S B ( Ri , W , t )  2

~  I ( A ( t ) ; Ei( t ) | EW , MK , A( t ) )

W is a set of ω dishonest receivers. Ri ∉ W is a target verifier. Γ is a set of key-exposed period. t ∉ Γ is a period when attack will be done.

14

KI-MRA -Lower BoundsTheorem.

Let Π be an (n,ω；N,γ;1/q,1/q)-one-time secure KI-MRA. Then, we have the following lower bounds of memory sizes:

Sender’s secret-keys at period j: Receiver Ri’s secret-keys:

Master-keys: Key-update information: Authenticated messages:

| S

| q 2 ( 1)

( j)

|  i | q 2 ( 1) |  | q 2 ( 1) |

( h, j )

|

( j)

| q

| 2

2 ( 1)

H (M )

q

 1

（ 1 i n, 0  ω＜n，0 γ＜Ｎ，0 h  Ｎ，1 j Ｎ ） Our direct construction will meet all the above inequalities with equalities.

The above bounds are tight!

15

KI-MRA -Lower BoundsNote: The proposed lower bounds of KI-MRA are extension of those of MRA-codes[Safavi-Naini et al. 99]. In the case of γ=0:

Sender’s secret-keys at period j:

|  S | q 2( 1)

Receiver Ri’s secret-keys:

|  i | q 2

Authenticated messages:

|  | 2 H ( M ) q 1

（ 1 i  n, 0  ω＜n, 0 h  Ｎ，1 j  Ｎ ）

（n,ω;N,0;εA,εB）-one-time secure KI-MRA = MRA-codes.

- Direct Construction A construction which uses polynomials over finite fields Fq (q: prime power). This construction meets lower bounds with equalities ⇒It is optimal construction. 16

17

KI-MRA -Direct Construction1. Key Generation and Distribution by TI.

The master-key for the device H 



1



1

F ( x, z ) :  ai , 0,k x i z k , mk ( x, y, z ) :  ai , j ,k x i y j z k i 0 k 0

i  0 j 1 k  0

The initial secret-key for sender

(ai , j ,k  Fq )

eS(0)(x, z) := F(x,z) The receiver Ri’s secret-key

ei (y, z) := F(Ri,z) + mk(Ri,y,z) （Ri ∈Ｆq＼｛0｝:RiのID）

KI-MRA -Direct Construction-

18

2. Updating sender’s secret-keys for a period j from a period h. The key-updating information

mk(h,j)(x, z) := mk(x,j,z) - mk(x,h,z) mk(h,j)

The sender’s secret-key at the period j

eS(j)(x, z) := eS(h)(x, z) + mk(h,j)(x, z) = F(x,z) + mk(x,h,z) + mk(x,j,z) - mk(x,h,z) = F(x.z) + mk(x,j,z)

19

KI-MRA -Direct Construction3. Authentication / Verification at the period j. Authentication

α(x) := eS(j)(x, m) = F(x,m)+mk(x,j,m) α=(m, α(x)) (α,j)

α(x)|x=Ri

Ri verifies whether these two values are equal. Verification by Ri

ei (y, z) := F(Ri,z) + mk(Ri,y,z)

ei (y, z)|y=j, z=m

20

KI-MRA -Direct ConstructionTheorem. The proposed construction is (n,ω；N,γ;1/q,1/q)-one-time secure, and optimal. Memory sizes of secret-keys and authenticated messages

Sender’s secret-keys at period j: Receiver Ri’s secret-keys: Master-keys: Key-update information:

Authenticated messages:

| S

( j)

| q

2 ( 1)

|  i | q 2 ( 1) |  | q 2 ( 1) |  ( h , j ) | q 2 ( 1) |

( j)

| 2

H (M )

q

 1

- Generic Construction -

Cover free family

+

KI-MRA

MRA-codes[Safavi-Naini et al.99] Merit: A flexibility in choosing system parameters.

21

Cover free family (CFF)[Erdos et al.85] Definition.

Let - L={l1, l2, ..., ld} be a universal set. - ={F1, F2, ..., FN} be a family of subsets of L. Then, we call it (d, N, γ)-CFF if

Fi0  Fi1  Fi2    Fi for all Fi0 , Fi1 , Fi2 ,, Fi   ( Fi j  Fik , if j  k ) Not empty 

Fi0

F j 1

ij

22

23

KI-MRA -Generic Construction■ Basic idea:

(d,N,γ)-CFF

(n,ω,ε)-secure MRA-code N+d copies Combining

(n,ω;N,γ;εφ,ε)-one-time secure KI-MRA [Note] - n is the number of receivers - ω is the number of dishonest receivers - ε is a success probability of attacks

of the underlying MRA-code.

KI-MRA -Generic Construction1. Key Generation and Distribution by TI.

(u0( j ) , v1(,0j ) , v2( ,j0) ,, vn( ,j0) ) : the j-th output from MGen (1  j  N ) (l ) (l ) (l ) (l ) (u1 g , v1,1g , v2,1g ,, vn ,1g ) : the g-th output from MGen (1  g  d ) ※these keys are corresponding to li ∈L

The initial secret-key for the sender

eS( 0) : (u0(1) , u0( 2) ,, u0( N ) ,U ( 0 ) ) (U ( 0 )   ) The receiver Ri’s secret-key

ei : (vi(,10) , vi(,20) ,, vi(,N0 ) , vi(,l11 ) , vi(,l12 ) ,, vi(,l1d ) ) The master-key

mk : (u1(l1 ) , u1(l2 ) ,, u1(ld ) ) - MGen: a key generation algorithm of MRA-code. - u0(j), u1(j): a secret-key for sender. - vi,0(j), vi,1(j): a secret-key for receiver.

24

25

KI-MRA -Generic Construction2. Updating sender’s secret-keys for a period j from a period h. The key-updating information

mk ( h, j ) : U ( j ) (U ( j ) : {u1(l ) | l  Fj })

Fj

period j

mk(h,j)

The sender’s secret-key at the period j

eS( j ) : (u0(1) , u0( 2 ) ,, u0( N ) ,U ( j ) ) exchange

eS( h )  (u0(1) , u0( 2 ) , , u0( N ) ,U ( h ) ) The sender’s secret-key at the period h

Update

KI-MRA -Generic Construction■ Security:

U ( j ) : {u1(l ) | l  Fj }

t: target period

The sender’s secret-key at the period t

eS( j ) : (u0(1) , u0( 2 ) ,, u0( N ) ,U ( j ) )

a set of sender’s secret-keys corresponding to Fj.

γ exposed secret-keys for the sender

U

( j)



U Not empty

j 1

(l j )

eS( l1 ) : (u0(1) , u0( 2) ,, u0( N ) , U ( l1 ) ) ・・ ・ ( l ) (l ) (1) ( 2) eS : (u0 , u0 ,, u0( N ) ,U  ) adversary

From the definition of CFF... the adversary cannot obtain all information about the sender’s secret-key at the target period t.

26

KI-MRA -Generic Construction3. Authentication / Verification at the period j. Authentication

 : (m,  0( j ) ,  i( j ) ,  i( j ) ,  i( j ) ) 1

2

|Fj|

 0( j ) : MAuth(u0( j ) , m) 

( j) 0

: MAuth(u

(ig ) 1

, m) for all ig  F j Verification by Ri

(α,j)

MVer (v ,  ( j) i ,0

MVer (v

(lg ) i ,1

( j) 0

,

?

)  true

( j) lg

?

)  true for all l g  F j

- MAuth: an authentication algorithm of MRA-code. - MVer: a verification algorithm of MRA-code.

27

KI-MRA -Generic ConstructionTheorem. The proposed construction is (n,ω;N,γ;εφ,ε)-one-time secure. Here,  : min(| Fi 0  {Fi1   Fi } |) ,where the minimum is taken over all Fi 0 , Fi1 ,, Fi   .

28

Conclusion We studied Information-Theoretically Secure Key-Insulated Multireceiver Authentication codes (KI-MRA). Our Results - Newly introduced the model of KI-MRA. - Defined and formalized security notions of KI-MRA. - Derived lower bounds of success probabilities of attacks and memory sizes required for a secure KI-MRA（tight）. - Proposed two constructions: ・ Direct Construction（optimal） ・ Generic Construction

29

Thank you!

30

Appendix：Memory sizes of Constructions

Memory sizes of the generic construction Sender’s secret-keys at period j:| 

| ( N  | F j |) |  |

( j) S

Receiver Ri’s secret-keys:|  i

| ( N  d ) |  | | d |  |

Master-keys:|  Key-update information:| 

( h, j )

Authenticated messages:| 

( j)

|| F j ||  |

| (| F j | 1) |  |

31

Appendix：Formalization of PΠ,IA For any set of colluder W, any set of key-exposure periods Γ, any targeted honest receiver Ri ∉W and target period t ∉Γ, then

P , IA ( Ri , W , , t ) : max max max Pr(KVer (ei ,  , t )  true | eW , e ) eW

e

( , t )

- eW: a set of the colluders’ secret-keys. - eΓ: a set of sender’s secret-keys exposed such that es(t) ∉eΓ. - (α,t): an authenticated message.

32

Appendix：Formalization of PΠ,SA For any set of colluder W, any set of key-exposure periods Γ, any targeted honest receiver Ri ∉W and target period t ∉Γ, then

P , SA ( Ri ,W , , t ) : max max max max eW

e

( ',t ) ( ,t )  ( ',t )

Pr(KVer(ei ,  , t )  true | eW , e , ( ' , t )) - eW: a set of the colluders’ secret-keys. - eΓ: a set of sender’s secret-keys exposed such that es(t) ∉eΓ. - (α’,t), (α,t): an authenticated message.

33

Appendix：Formalization of PΠ,IB For any set of colluder W, any targeted honest receiver Ri ∉W and target period t ∉Γ, then

P , IB ( Ri , W , t ) : max max max Pr(KVer (ei ,  , t )  true | eW , mk ) eW

mk

( , t )

- eW: a set of the colluders’ secret-keys. - mk: an exposed master-key. - (α,t): an authenticated message.

34

Appendix：Formalization of PΠ,SB For any set of colluder W, any targeted honest receiver Ri ∉W and target period t ∉Γ, then

P ,SB ( Ri ,W , t ) : max max max max eW

mk

( ',t ) ( ,t )  ( ',t )

Pr(KVer(ei ,  , t )  true | eW , mk, ( ' , t )) - eW: a set of the colluders’ secret-keys. - mk: an exposed master-key. - (α’,t), (α,t): an authenticated message.

35