PriSign, A Privacy-Preserving Single Sign-On System for Cloud Environments
Abstract
:1. Introduction
1.1. Contributions
1.2. Organization
2. Related Work and Comparison
3. Preliminaries
3.1. Bilinear Pairing
3.2. Complexity Assumptions
- Symmetric Discrete Logarithm (SDL) Assumption: Let be a bilinear group. Given and , the SDL assumption holds in if no efficient adversary can compute x with non-negligible probability.
- Decisional Diffie–Hellman (DDH) assumption: Let be an cyclic group of prime order and g be a generator of ; given , the DDH assumption holds in the group if no efficient adversary can distinguish from an element z randomly chosen from .
- Bilinear Decisional Diffie–Hellman (BDDH) Assumption: Let be a bilinear group; given , the BDDH assumption holds if no efficient adversary can distinguish from an element z randomly chosen from .
3.3. Structure-Preserving Signatures
- : On input a security parameter and a positive integer l, this algorithm generates a bilinear group and outputs public parameters .
- : On input public parameters , this algorithm selects and a generator , then computes . It outputs a secret key and a public key .
- : To sign l messages (), the signer selects , computes ; and , then outputs the signature .
- : To verify the signature on messages , this algorithm checks two pairing equations, and . If both equations are satisfied, it outputs 1; otherwise, it outputs 0.
3.4. Pointcheval–Sanders Signatures
- : On input of a security parameter and a positive integer q, this algorithm generates a bilinear group and outputs public parameters .
- : On input public parameters , this algorithm selects and computes . It outputs a secret key and a public key .
- : To sign messages (), the signer selects , computes , and outputs the signature .
- : To verify the signature on messages , this algorithm checks two equations, and . If both equations are satisfied, it outputs 1; otherwise, it outputs 0.
3.5. Inner-Product Functional Encryption
- : On input of a security parameter , this algorithm outputs a master private key and a master public key .
- : On input of a master private key and a characteristic vector , this algorithm outputs a policy key .
- : On input of a master public key , an attribute vector , and a message M, this algorithm outputs a ciphertext C.
- : On input of a policy key and a ciphertext C, this algorithm outputs the message M if ; otherwise, it outputs the failure symbol ⊥.
3.6. Zero-Knowledge Signature of Knowledge
- : On input of a security parameter , this algorithm outputs a public parameter .
- : On input of a message m and a relation , this algorithm it outputs a ZKSoK: .
- : On input of a message m, a ZKSoK , and a statement y, this algorithm returns 1 if is valid; otherwise, it returns 0.
4. System and Security Model
4.1. System Model
- CA is a trusted global party responsible for setting up the system (step ➀), providing certification service for the ticket issuer (step ➂) and all users (step ➇) as well as issuing keys for a group of policymakers (step ➃). Moreover, CA can trace the identities of malicious users (step ➉).
- I is a ticket issuer and should register with CA (step ➁ and step ➂). I is tasked to verify any user’s credentials according to attribute disclosure policies generated by itself and to issue tickets for users (step ➈).
- P is an independent policymaker which receives keys from CA (step ➃) and is responsible for issuing a share of the policy key for each verifier and binding this share to the verifier’s identity (step ➄). The PriSign scheme is set up with n policymakers, of which t policymakers can cooperate to issue complete policy keys for verifiers. If a verifier is offline, t policymakers can cooperate to issue a new key with the same policy as the offline verifier that is bound to the identity of a new proxy verifier. This proxy-verifier can replace the offline verifier in order to complete the verification of tokens that are designated to be verified by the offline verifier.
- U with with a set of attributes should apply for a credential from CA (steps ➆ and ➇). To obtain a ticket, U needs to present a credential to I anonymously and disclose a subset of attributes to prove that the attribute disclosure policy enforced by I is satisfied (step ➈). To access a designated service with a ticket, U computes an access token of the ticket using an attribute vector that matches the designated verifier’s policy (step ⑪).
- V should request that each of t online policymakers receive a share of the policy key bound to its identity (step ➄) and aggregate them into a complete policy key (step ➅). V with a complete policy key that matches the user’s attribute vector then provides token verification services for those users who designate it as the verifier, and can detect any double-spending tickets (step ⑫).
4.2. Formal Definition
- : This algorithm is operated by CA, which inputs a security parameter , a number of user attributes q, a number of policymakers n and threshold value t, and a policy length k, then outputs the system parameters , a main key pair , and a user registration list , where contains a matching function over the set of attribute vectors and the set of policies . To simplify the description, the remaining algorithms take as the input by default.
- : This algorithm is operated by the ticket issuer and outputs a secret key and public key .
- : This algorithm operates by interacting between I and CA to issue a public key credential for I. I takes as inputs, while CA takes and as inputs. It returns either a credential for I if the execution of the algorithm succeeds, or ⊥ if the execution fails.
- : This algorithm is operated by CA to issue keys for n policymakers. It inputs , , and outputs a private key and a verification key for each P, where . Note that t policymakers can cooperate to recover the complete key used to generate policy keys for verifiers.
- This algorithm is operated by a policymaker P with index i to generate a share of a policy key for a verifier with identity and policy . It inputs , a verifier’s identity , and a policy , and outputs a share of policy key .
- ; This algorithm is operated by V, which receives t shares of the policy key from t policymakers and aggregates them into a complete policy key. It inputs , , t shares of policy key , and , then outputs a complete policy key .
- : This algorithm is operated by U and outputs a private key , a public key , and a tracing key .
- : This algorithm is operated by interacting between U and CA to issue an attribute-based credential for U. U takes the identity , , , and set of attributes as inputs, while CA takes , , and as inputs. It returns either a credential for U and updated user registration list if the execution of the algorithm succeeds, or ⊥ if the execution fails.
- : This algorithm operates by interacting between U and I to issue a ticket for U. U takes , , , , an attribute disclosure policy (), and a context as inputs, while I takes , , and as inputs. It outputs either a credential presentation , a ticket , the ticket’s double-spending identity , and validity period if the execution of the algorithm succeeds, or if the execution fails, ⊥. Note that should satisfy an attribute disclosure policy generated by I to pass I’s verification, and CTX is a random value to prevent replay attacks.
- : This algorithm is operated by CA, which takes , , and as inputs, and outputs either a user’s identity if the execution of the algorithm succeeds or ⊥ if the execution fails.
- : This algorithm is operated by U to create an access token to a designated verifier with the policy . It takes , , , an attribute vector that matches the policy (i.e., ), and as inputs, then outputs an access token .
- : This algorithm is operated by a designated verifier V that takes , , , and as inputs. It outputs 1 if the token is validated and not double-spending, and 0 otherwise.
4.3. Overflow of PriSign
4.4. Threat Model
4.5. Security Model
4.5.1. Unforgeability
4.5.2. Unlinkability
4.5.3. Token-Hiding
5. Construction of PriSign
5.1. Challenges and Intuitions
5.2. New Results and Building Blocks
5.2.1. Attribute-Based Credentials with Traceability
- : The user computes a ZKSoK , then sends their identity , attribute set , and to the issuer.
- : After is verified, the issuer chooses and computes , . Then, it sets and returns .
- : The user accepts the credential if holds.
5.2.2. Attribute-Based Credentials with Blindness
- : The user chooses a secret key , then computes a public key and a group element , chooses a random , and computes the ElGamal encryption for each (): . The user computes a ZKSoK and sets .
- : After is verified, the issuer recomputes and returns , where are computed as follows: .
- .The user computes and sets . The user accepts the credential if holds.
5.2.3. Threshold Inner-Product Functional Encryption
- Set
- Randomly choose
- Compute , and , and set
- Choose polynomials of degree with coefficients in , denoted as , and set
- Compute and where , and set
- Compute where , and set
- Set and compute
- Compute
- For each , check
- For each , compute
- Compute
- Randomly choose , then compute
- Compute
- Set
- If , compute
5.3. Concrete Construction
- : As shown in Figure 8, CA runs to generate public parameters (a Type-III bilinear group) for other algorithms of PriSign scheme, runs to generate keys used to issue public-key credentials for issuers, runs to generate keys used to issue attribute-based credentials for users, and runs to generate the keys used to issue keys for policymakers. Finally, it sets the public parameters , master secret key , master public key , and user registration list .
- : The ticket issuer runs to generate its secret key and public key used to issue tickets for users.
- : As shown in Figure 9, CA computes an SPS signature on the issuer’s public key and treats it as the issuer’s credential. The details of are shown in Supplemental Material E.2.
- : CA runs to generate keys for all policymakers.
- : The policymaker i runs to issue a share of the policy key to a verifier with identity and policy .
- : The verifier runs to obtain a compact policy key.
- : A user runs to create their private key, public key, and tracing key.
- : CA and a user run to create a credential for the user.
- : As shown in Figure 10, I computes a ZKSoK to prove to the user that it has been authenticated by CA. After verifying I’s and credential , U computes a credential presentation by executing , then randomly selects a double-spend identity for the ticket, blinds it by executing , and sends to I. I verifies the correctness of the user credential and chooses a validity period for the ticket, then computes a ticket by executing and returns . Finally, the user restores the ticket by executing .
- : CA runs to trace the user’s identity.
- : As shown in Figure 11, U computes a ticket presentation by executing , then randomly selects an encryption key K and encrypts the presentation information using the AES-CTR algorithm [39,40] to achieve token-hiding. Finally, U encrypts K using the attribute vector that matches the policy , i.e., , to achieve designated verification, and returns .
- As shown in Figure 12, the designated verifier with policy key recovers key K by executing and decrypts the ticket presentation information using the AES-CTR algorithm. Then, it checks whether is within the validity period and checks all tickets with the same in the history to detect whether the ticket is double-spending. Finally, V verifies the correctness of the ticket presentation by executing .
6. Security Analysis
7. Performance Analysis
7.1. Theoretical Analysis
7.2. Experimental Analysis
8. Conclusions
Supplementary Materials
Author Contributions
Funding
Data Availability Statement
Conflicts of Interest
References
- Recordon, D.; Reed, D. OpenID 2.0: A platform for user-centric identity management. In Proceedings of the Second ACM Workshop on Digital Identity Management, Alexandria, VA, USA, 3 November 2006; pp. 11–16. [Google Scholar]
- MIT Kerberos: Kerberos: The Network Authentication Protocol. 2017. Available online: https://web.mit.edu/kerberos/ (accessed on 20 November 2022).
- European Union. General data protection regulation. Off. J. Eur. Union 2016, 49, L119. Available online: https://gdpr-info.eu (accessed on 20 November 2022).
- Elmufti, K.; Weerasinghe, D.; Rajarajan, M.; Rakocevic, V. Anonymous authentication for mobile single sign-on to protect user privacy. Int. J. Mob. Commun. 2008, 6, 760–769. [Google Scholar] [CrossRef]
- Han, J.; Mu, Y.; Susilo, W.; Yan, J. A generic construction of dynamic single sign-on with strong security. In Proceedings of the International Conference on Security and Privacy in Communication Systems, Singapore, 7–9 September 2010; Springer: Berlin/Heidelberg, Germany, 2010; pp. 181–198. [Google Scholar]
- Wang, J.; Wang, G.; Susilo, W. Anonymous single sign-on schemes transformed from group signatures. In Proceedings of the 2013 5th International Conference on Intelligent Networking and Collaborative Systems, IEEE, Xi’an, China, 9–11 September 2013; pp. 560–567. [Google Scholar]
- Lee, T.F. Provably secure anonymous single-sign-on authentication mechanisms using extended Chebyshev chaotic maps for distributed computer networks. IEEE Syst. J. 2015, 12, 1499–1505. [Google Scholar] [CrossRef]
- Han, J.; Chen, L.; Schneider, S.; Treharne, H.; Wesemeyer, S. Anonymous single-sign-on for n designated services with traceability. In Proceedings of the European Symposium on Research in Computer Security, Barcelona, Spain, 3–7 September 2018; Springer: Cham, Switzerland, 2018; pp. 470–490. [Google Scholar]
- Han, J.; Chen, L.; Schneider, S.; Treharne, H.; Wesemeyer, S.; Wilson, N. Anonymous single sign-on with proxy re-verification. IEEE Trans. Inf. Forensics Secur. 2019, 15, 223–236. [Google Scholar] [CrossRef]
- PriSign [Online]. Available online: https://github.com/PriSign/PriSign (accessed on 20 November 2022).
- Boneh, D.; Waters, B. A fully collusion resistant broadcast, trace, and revoke system. In Proceedings of the 13th ACM Conference on Computer and Communications Security, Alexandria, VA, USA, 30 October–3 November 2006; pp. 211–220. [Google Scholar]
- Dodis, Y.; Fazio, N. Public key trace and revoke scheme secure against adaptive chosen ciphertext attack. In Proceedings of the International Workshop on Public Key Cryptography, Miami, FL, USA, 6–8 January 2003; Springer: Berlin/Heidelberg, Germany, 2003; pp. 100–115. [Google Scholar]
- Boneh, D.; Shen, E.; Waters, B. Strongly unforgeable signatures based on computational Diffie-Hellman. In Proceedings of the International Workshop on Public Key Cryptography, New York, NY, USA, 24–26 April 2006; Springer: Berlin/Heidelberg, Germany, 2006; pp. 229–240. [Google Scholar]
- Goldwasser, S.; Micali, S.; Rivest, R.L. A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 1988, 17, 281–308. [Google Scholar] [CrossRef]
- Feige, U.; Fiat, A.; Shamir, A. Zero-knowledge proofs of identity. J. Cryptol. 1988, 1, 77–94. [Google Scholar] [CrossRef]
- Goldreich, O.; Micali, S.; Wigderson, A. Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems. J. ACM (JACM) 1991, 38, 690–728. [Google Scholar] [CrossRef] [Green Version]
- Bellare, M.; Shi, H.; Zhang, C. Foundations of group signatures: The case of dynamic groups. In Proceedings of the Cryptographers’ Track at the RSA Conference, San Francisco, CA, USA, 14–18 February 2005; Springer: Berlin/Heidelberg, Germany, 2005; pp. 136–153. [Google Scholar]
- Nguyen, L.; Safavi-Naini, R. Efficient and provably secure trapdoor-free group signature schemes from bilinear pairings. In Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, Jeju Island, Korea, 5–9 December 2004; Springer: Berlin/Heidelberg, Germany, 2004; pp. 372–386. [Google Scholar]
- Bergamo, P.; D’Arco, P.; De Santis, A.; Kocarev, L. Security of public-key cryptosystems based on Chebyshev polynomials. IEEE Trans. Circuits Syst. I Regul. Pap. 2005, 52, 1382–1393. [Google Scholar] [CrossRef] [Green Version]
- Xiao, D.; Liao, X.; Deng, S. Using time-stamp to improve the security of a chaotic maps-based key agreement protocol. Inf. Sci. 2008, 178, 1598–1602. [Google Scholar] [CrossRef]
- Au, M.H.; Susilo, W.; Mu, Y. Constant-size dynamic k-TAA. In Proceedings of the International Conference on Security and Cryptography for Networks, Maiori, Italy, 6–8 September 2006; Springer: Berlin/Heidelberg, Germany, 2006; pp. 111–125. [Google Scholar]
- Camenisch, J.; Kiayias, A.; Yung, M. On the portability of generalized schnorr proofs. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cologne, Germany, 26–30 April 2009; Springer: Berlin/Heidelberg, Germany, 2009; pp. 425–442. [Google Scholar]
- Boneh, D.; Franklin, M. Identity-based encryption from the Weil pairing. In Proceedings of the Annual International Cryptology Conference, Santa Barbara, CA, USA, 19–23 August 2001; Springer: Berlin/Heidelberg, Germany, 2001; pp. 213–229. [Google Scholar]
- Chatterjee, S.; Menezes, A. On cryptographic protocols employing asymmetric pairings—The role of Ψ revisited. Discret. Appl. Math. 2011, 159, 1311–1322. [Google Scholar] [CrossRef] [Green Version]
- Han, J.; Chen, L.; Schneider, S.; Treharne, H.; Wesemeyer, S. Privacy-preserving electronic ticket scheme with attribute-based credentials. IEEE Trans. Dependable Secur. Comput. 2019, 18, 1836–1849. [Google Scholar] [CrossRef]
- Feng, H.; Shi, R.; Yuan, F.; Li, Y.; Yang, Y. Efficient strong privacy protection and transferable attribute-based ticket scheme. J. Commun. 2022, 43, 63–75. [Google Scholar]
- Shi, R.; Feng, H.; Xie, H. Privacy-preserving attribute ticket scheme based on mobile terminal with smart card. J. Commun. 2022, 43, 26–41. [Google Scholar]
- Boneh, D.; Boyen, X. Short signatures without random oracles. In Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, 2–6 May 2004; Springer: Berlin/Heidelberg, Germany, 2004; pp. 56–73. [Google Scholar]
- Camenisch, J.; Chaabouni, R.; Shelat, A. Efficient protocols for set membership and range proofs. In Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT’08), Melbourne, Australia, 7–11 December 2008; Springer: Berlin/Heidelberg, Germany, 2008; pp. 234–252. [Google Scholar]
- Fuchsbauer, G.; Hanser, C.; Slamanig, D. Structure-preserving signatures on equivalence classes and constant-size anonymous credentials. J. Cryptol. 2019, 32, 498–546. [Google Scholar] [CrossRef]
- Blömer, J.; Bobolz, J. Delegatable attribute-based anonymous credentials from dynamically malleable signatures. In Proceedings of the International Conference on Applied Cryptography and Network Security, Leuven, Belgium, 2–4 July 2018; Springer: Cham, Switzerland, 2018; pp. 221–239. [Google Scholar]
- Galbraith, S.D.; Paterson, K.G.; Smart, N.P. Pairings for cryptographers. Discret. Appl. Math. 2008, 156, 3113–3121. [Google Scholar] [CrossRef]
- Groth, J. Efficient fully structure-preserving signatures for large messages. In Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, Auckland, New Zealand, 29 November–3 December 2015; Springer: Berlin/Heidelberg, Germany, 2015; pp. 239–259. [Google Scholar]
- Pointcheval, D.; Sanders, O. Short Randomizable Signatures. In Topics in Cryptology—CT-RSA 2016; Sako, K., Ed.; Lecture Notes in Computer Science; Springer: Cham, Switzerland, 2016; Volume 9610. [Google Scholar]
- Do, X.T.; Phan, D.H.; Pointcheval, D. Traceable inner product functional encryption. In Proceedings of the Cryptographers’ Track at the RSA Conference, San Francisco, CA, USA, 24–28 February 2020; Springer: Cham, Switzerland, 2020; pp. 564–585. [Google Scholar]
- Katz, J.; Sahai, A.; Waters, B. Predicate encryption supporting disjunctions, polynomial equations, and inner products. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, Istanbul, Turkey, 13–17 April 2008; Springer: Berlin/Heidelberg, Germany, 2008; pp. 146–162. [Google Scholar]
- Chase, M.; Lysyanskaya, A. On signatures of knowledge. In Proceedings of the Annual International Cryptology Conference, Santa Barbara, CA, USA, 20–24 August 2006; Springer: Berlin/Heidelberg, Germany, 2006; pp. 78–96. [Google Scholar]
- Sonnino, A.; Al-Bassam, M.; Bano, S.; Meiklejohn, S.; Danezis, G. Coconut: Threshold issuance selective disclosure credentials with applications to distributed ledgers. arXiv 2018, arXiv:1802.07344. [Google Scholar]
- NIST. Advanced Encryption Standard (AES). 2001. Available online: http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf (accessed on 20 November 2022).
- NIST. Recommendation for Block Cipher Modes of Operation (Meth-ods and Techniques). 2001. Available online: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf (accessed on 20 November 2022).
- MIRACL Ltd. [Online]. Available online: https://github.com/miracl/MIRACL (accessed on 20 November 2022).
- Fan, J.; Vercauteren, F.; Verbauwhede, I. Faster Fp-Arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems, Lausanne, Switzerland, 6–9 September 2009; Springer: Berlin/Heidelberg, Germany, 2009; pp. 240–253. [Google Scholar]
Scheme | Unlinkability | Designated Verifiers | Proxy Re-Verification | Threshold Key Issuance | Token-Hiding | Traceability | Fine-Grained Access Control |
---|---|---|---|---|---|---|---|
[4] | √ | × | × | − | × | √ | × |
[5] | × | × | × | − | × | √ | × |
[6] | √ | × | × | − | × | √ | × |
[7] | × | × | × | − | × | × | × |
[8] | √ | √ | × | − | × | √ | × |
[9] | √ | √ | √ | × | × | √ | × |
[25] | √ | × | × | − | × | √ | √ |
[26] | √ | × | × | − | × | √ | √ |
[27] | √ | × | × | − | × | × | √ |
PriSign | √ | √ | √ | √ | √ | √ | √ |
Abbreviation | Description |
---|---|
CA | Central Authority |
I | Issuer |
P | Policymaker |
U | User |
V | Verifier |
SDL | Symmetric Discrete Logarithm |
DDH | Decisional Diffie–Hellman |
BDDH | Bilinear Decisional Diffie–Hellman |
PS | Pointcheval–Sanders |
SPS | Structure-Preserving Signatures |
EUF-CMA | Existentially Unforgeable under Chosen Message Attacks |
ZKSoK | Zero-Knowledge Signature of Knowledge |
ABCT | Attribute-Based Credential with Traceability |
ABCB | Attribute-Based Credential with Blindness |
IPFE | Inner-Product Functional Encryption |
TIPFE | Threshold Inner-Product Functional Encryption |
Notation | Description |
---|---|
security parameter/negligible function | |
x is randomly selected from the set | |
set | |
a subset of | |
q | number of user attributes |
number of policymakers/threshold value | |
k | length of verifier’s policy |
public parameters/user registration list | |
private key of system/public key of system | |
private key/public key/credential of I | |
private/verification key of P | |
identity/policy/policy key of V | |
identity/secret/public/tracing key of U | |
attributes/credential of U | |
double-spending identity/validity period | |
attribute vector that matches a policy | |
ticket/token of U | |
set/number of indexes for disclosed attributes | |
CTX | random value |
collision resistant hash functions: | |
collision resistant hash functions: | |
⊥ | failed identifier |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Shi, R.; Yang, Y.; Xie, H.; Feng, H.; Shi, G.; Zhang, J. PriSign, A Privacy-Preserving Single Sign-On System for Cloud Environments. Appl. Sci. 2023, 13, 727. https://doi.org/10.3390/app13020727
Shi R, Yang Y, Xie H, Feng H, Shi G, Zhang J. PriSign, A Privacy-Preserving Single Sign-On System for Cloud Environments. Applied Sciences. 2023; 13(2):727. https://doi.org/10.3390/app13020727
Chicago/Turabian StyleShi, Rui, Yang Yang, Huiqin Xie, Huamin Feng, Guozhen Shi, and Jianyi Zhang. 2023. "PriSign, A Privacy-Preserving Single Sign-On System for Cloud Environments" Applied Sciences 13, no. 2: 727. https://doi.org/10.3390/app13020727
APA StyleShi, R., Yang, Y., Xie, H., Feng, H., Shi, G., & Zhang, J. (2023). PriSign, A Privacy-Preserving Single Sign-On System for Cloud Environments. Applied Sciences, 13(2), 727. https://doi.org/10.3390/app13020727