Time Capsule Signature - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

Time Capsule Signature

Description:

Distinguishable Time Capsule Signature. 3. Introduction - Time Capsule Signature ... In our distinguishable time capsule signature, we make this act of a malicious ... – PowerPoint PPT presentation

Number of Views:33
Avg rating:3.0/5.0
Slides: 24
Provided by: chri113
Category:

less

Transcript and Presenter's Notes

Title: Time Capsule Signature


1
Time Capsule Signature
  • - Efficient and Provably Secure Constructions

Bessie Hu Department of Computer Science City
University of Hong Kong Hong Kong
Joint work with Duncan Wong, Qiong Huang, Guomin
Yang, Xiaotie Deng
2
Outline
  • Introduction
  • Definition of Time Capsule Signature
  • Adversarial Model
  • Identity-based Trapdoor Relation
  • Generic Construction
  • Security Analysis
  • Extended IDTR
  • Distinguishable Time Capsule Signature

3
Introduction - Time Capsule Signature
  • Players Signer, Verifier, and Time Server.
  • The signer can issue a future signature indicated
    by some time information t .
  • Properties
  • The verifier can verify immediately that a
    signature will become valid at time t.
  • The signature will automatically become valid at
    time t, when time server releases time-dependent
    information (known as hatch signature).
  • The legal signer has the privilege to make the
    signature valid before time t (known as pre-hatch
    signature).

4
Introduction - Time Capsule Signature
  • First formalized by Dodis and Yum in Financial
    Cryptography 2005
  • Purpose
  • To capture the future nature and facilitate the
    variety of E-Commerce.
  • For example, in the case of debt repayment, a
    borrower can sign a check to indicate the
    repayment day (e.g. due day), he may also have
    the desire to repay his debt earlier, in order to
    improve his credit history.
  • Require that prehatched signature should be
    indistinguishable from hatched signature.
  • Undesirable
  • Require full trust on Time Server

5
Our Results
  • Improve the security model of time capsule
    signature in the sense that the time server is
    not required to be fully trusted.
  • Present two generic constructions of Time Capsule
    Signature that are provably secure in the random
    oracle model and the standard model.

6
Definition

7
Adversarial Model
Game I AI simulates a malicious signer whose aim
is to produce a time capsule signature st ,
which looks good to a verifier, but cannot be
hatched at time t.
SI
AI
tpk
TRelease
m, t, s, upk
AI wins if TVer(m, s, upk, tpk, t) 1
and Ver (m, s, upk, tpk, t) 0
8
Adversarial Model
Game II AII simulates a malicious verifier who
wants to hatch a time capsule signature before
time t.
SII
AII
TSig TRelease PreHatch
tpk, upk
m, t, s
AII wins if Ver(m, s, upk, tpk, t) 1 and AII
has never queried TRelease(t) and
PreHatch(m,t,).
9
Adversarial Model
Game III AIII simulates a malicious time server
who wants to forge a signature.
SIII
AIII
tpk, tsk, upk
TSig PreHatch
m, t, s
AIII wins if Ver(m, s, upk, tpk, t) 1 and
AIII has never queried TSig(m,) for time t.
10
Identity-based Trapdoor Relation
  • An identity-based trapdoor relation (IDTR) is a
    set of relations ,
    where each relation Rid is called a trapdoor
    relation and there is a master trapdoor mtdR for
    extracting the trapdoor tdid of each Rid.

11
Identity-based Trapdoor Relation
  • One-wayness no one is able to find the witness
    of a commitment if the trapdoor information is
    not given.
  • Let OExtract be an oracle simulating the
    trapdoor extraction procedure Extract and
    Query(A, OExtract) the set of queries an
    algorithm A asked to OExtract. It states that the
    following probability is negligible for all PPT
    algorithm A (A1A2)

12
Identity-based Trapdoor Relation
  • Soundness no one can produce a commitment whose
    witness cannot be found using Invert.
  • We require that the following probability should
    be negligible for all algorithm B

13
Identity-based Trapdoor Relation
  • Two Concrete constructions
  • In the Random Oracle Model
  • Based on Boneh and Franklins IBE (2001)
  • D. Boneh and M. Franklin. Identity-based
    encryption from the Weil pairing. In Proc. CRYPTO
    2001, pages 213-229. Springer-Verlag, 2001. LNCS
    2139.
  • In the Standard Model
  • Based on Waters IBE (2005)
  • B. Waters. Efficient identity-based encryption
    without random oracles. In Proc. EUROCRYPT 2005,
    pages 114-127. Springer-Verlag, 2005. LNCS 3494.

14
Generic Construction of TCS
  • Basic building blocks
  • IDTR (Gen, Sample, Extract, Invert, Check)
  • Standard Signature Scheme (Set, Sig, Verify)

( t )
15
Generic Construction of TCS
16
Security Analysis
  • Theorem 1. The proposed time capsule signature
    scheme is secure if the underlying public key
    signature scheme is existentially unforgeable
    against adaptive chosen message attacks (euf-cma)
    and the IDTR has the properties of one-wayness
    and soundness.

Security against Game I
Soundness of IDTR
A malicious signer cannot produce a TCS which is
unhatchable.
Security against Game II
one-wayness of IDTR
A malicious verifier cannot hatch a TCS without
time dependent information.
Security against Game III
euf-cma of signature scheme
A malicious Time Server cannot forge a valid
signature of user.
17
Extended IDTR
  • (Gen, Sample, Reveal, Extract, Invert, CheckS,
    CheckI)

Invert
18
Extended IDTR
  • Hiding captures a malicious system master who
    aims to forge a sampled witness for a given
    commitment.
  • Let OSample and OReveal be oracles simulating the
    procedures of Sample and Reveal, respectively,
    where OSample only returns a commitment for each
    query. Let Query(AOX) be the set of queries an
    algorithm A asked to OX, where X can be Sample or
    Reveal. It states that the following probability
    is negligible for all PPT algorithm A

19
Distinguishable Time Capsule Signature
(TSSetup, UserSetup, TSig, TVer, TRelease, Hatch,
PreHatch, VerP, VerH)
20
Distinguishable TCS - Adversarial Model
In Dodis and Yums construction, the Time Server
should be fully trusted and it is assumed that
the Time Server would not collude with any
malicious user and release some time trapdoor zt
before t. Otherwise, there is no way to
distinguish whether a signature is pre-hatched by
the actual signer or hatched by a malicious Time
Server. In our distinguishable time capsule
signature, we make this act of a malicious Time
Server distinguishable.
Game IV
SIV
AIV
tpk, tsk, upk
TSig PreHatch
m, t, s
AIV wins if VerP(m, s, upk, tpk, t) 1 and
AIV has never queried PreHatch(m,t,)
21
Distinguishable TCS - Security Analysis
  • Theorem 2. The extended time capsule signature
    scheme is secure in Game IV if the underlying
    extended IDTR scheme has the Hiding property, and
    the standard signature scheme is existentially
    unforgeable against adaptive chosen message
    attacks (euf-cma).

22
Questions?
23
Thank You!
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Time Capsule Signature" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!