Efficient Sequential Aggregate Signed Data - PowerPoint PPT Presentation

About This Presentation
Title:

Efficient Sequential Aggregate Signed Data

Description:

Title: Security Proofs for Identity-Based Identification and Signature Schemes Author: Gregory Neven Last modified by: Gregory Neven Created Date – PowerPoint PPT presentation

Number of Views:42
Avg rating:3.0/5.0
Slides: 25
Provided by: Gregory226
Learn more at: http://www.neven.org
Category:

less

Transcript and Presenter's Notes

Title: Efficient Sequential Aggregate Signed Data


1
Efficient Sequential Aggregate Signed Data
  • Gregory Neven
  • IBM Zurich Research Laboratory
  • work done while at K.U.Leuven

2
Digital signatures
(pk,sk) ? KeyGen()
(pk),M,s
s ? Sign(sk,M)
0/1 ? Verify(pk,M,s)
3
Digital signatures
s1 ? Sign(sk1,M1)
(pk1,,pkn),M1,,Mn, s1,, sn
s1

sn
i 0/1 ? Verify(pki,Mi,si)
A
sn ? Sign(skn,Mn)
4
Aggregate signatures (AS)
BGLS03
s1 ? Sign(sk1,M1)
(pk1,,pkn),M1,,Mn, s
s1

sn
s ? Agg(s1,,sn)
0/1 ? Verify(pk,M,s)
sn ? Sign(skn,Mn)
  • Goal s lt s1 sn , preferably
    constant
  • Motivation certificate chains secure routing
    protocols save bandwidth ( battery life) for
    wireless devices

5
Sequential aggregate signatures (SAS)
LMRS04
s1 ? Sign(sk1,M1)
s1
s2 ? Sign(sk2,M2,s1)

sn-1
(pk1,,pkn),M1,,Mn, s
s sn ? Sign(skn,Mn,sn-1)
0/1 ? Verify(pk,M,s)
  • Goal s lt s1 sn , preferably
    constant
  • Motivation certificate chains secure routing
    protocols save bandwidth ( battery life) for
    wireless devices

6
Existing (S)AS schemes
Scheme Type Based on Key model RO
BGLS AS pairings plain Y
LMRS SAS RSA plain Y
LOSSW SAS pairings KoSK N
7
Drawbacks of existing schemes
  • Current drawbacks of pairings (BGLS, LOSSW)
  • trust in assumptions vs. factoring, RSA
  • no standardization
  • implementations
  • Rather inefficient verification (BGLS, LMRS)
  • BGLS n pairings
  • LMRS certified claw-free trapdoor permutations
  • instantiation from RSA requires e gt N
  • ? verification signing n full-length exps
  • Weak key setup model (LOSSW)
  • plain public-key vs. knowledge of secret key
    (KOSK)

8
Drawbacks of existing schemes
  • Security parameter flexibility (BGLS, LMRS,
    LOSSW)
  • e.g. certificate chains
  • BGLS, LOSSW no flexibility whatsoever
  • LMRS increasing modulus size only
  • ? exact opposite of what we need
  • No (S)AS schemes for currently existing
    keys/certificates!

security level
cert1 ? Sign(sk1, ID2pk2)
cert1
1
cert2 ? Sign(sk2, IDUpk, cert1)
2
cert2
s ? Sign(sk, M, cert2)
U
9
Our contributions
  • Generalization of SAS to SASD
  • SASD scheme with
  • instantations from low-exponent RSA and factoring
  • efficient signing (1 exp O(n) mult) and
  • verification (O(n) mult)
  • full flexibility in modulus size
  • compatible with existing RSA/Rabin keys and
    certificates
  • Pure SAS scheme with same properties
  • Generalization of multi-signatures to
    multi-signed data (MSD)
  • Non-interactive MSD scheme from RSA and factoring
  • (no pairings)

10
Sequential aggregate signatures
LMRS04
s1 ? Sign(sk1,M1)
s1
s2 ? Sign(sk2,M2,s1)

sn-1
(pk1,,pkn),M1,,Mn, s
s sn ? Sign(skn,Mn,sn-1)
0/1 ? Verify(pk,M,s)
  • Goal s lt s1 sn

11
Sequential aggregate signed data (SASD)
S1 ? Sign(sk1,M1)
S1
S2 ? Sign(sk2,M2,S1)

Sn-1
S
S Sn ? Sign(skn,Mn,Sn-1)
(pk,M)/ ? Verify(S)
-
  • Goal minimize net overhead S M1
    Mn

12
SASD scheme intuition
Step 1. Full-domain hash with message
recovery Trapdoor permutation p, message M mµ
H

m
µ
M
G
p
-1


X
h
m
S
net overhead 160 bits
13
SASD scheme intuition
Step 1. Full-domain hash with message
recovery Trapdoor permutation p, message M mµ
H

m
µ
M
G
p

X
h
m
S
net overhead 160 bits
14
SASD scheme intuition
Step 2. Aggregating the hashes
H
m1
µ1

M1
G
-1
p
1
X1
h1
m1
S1

H
m2
µ2
M2

G
-1
p
2
X2
h2
m2
S2

net overhead 2160 320 bits
15
SASD scheme intuition
Step 2. Aggregating the hashes (intuition only
insecure!)
H
m1
µ1

M1
G
-1
p
1
X1
h1
m1
S1

H
m2
µ2
M2

G
-1
p
2
X2
h2
m2
S2

net overhead 160 bits
16
SASD scheme intuition
Step 2. Aggregating the hashes (intuition only
insecure!)
H
m1
µ1

M1
G
p
1
X1
h1
m1
S1

H
m2
µ2
M2

G
p
2
X2
h2
m2
S2

net overhead 160 bits
17
SASD scheme intuition
Step 3. Recovering any type of data (intuition
only insecure!)
H
m1
µ1


M1
G
-1
p
1
X1
h1
m1
S1


H
M2
X1
G
-1
p
2
X2
h2
M2
S2

net overhead 160 bits
18
The SASD scheme
  • Step 4. Getting the details right see paper.
  • Theorem. If there exists a forger that
    (t,qS,qH,qG,n,e)-breaks SASD in the random oracle
    model, then there exists an algorithm that
    (t,e)-finds a claw in ?, where

19
Comparison of SAS(D) schemes
Scheme Based on Overhead( pk) Sign Verify
BGLS pairings 160 1 E n P
LOSSW pairings 320 2 P 160n M 2 P 160n M
LMRS RSA 1024 n E n E
SASD RSA, factoring 1601184 1 E 2n M 2n M
SAS RSA, factoring 1184 1 E 2n M 2n M
P pairing E exponentiation M
multiplication n signatures in aggregate
20
Non-interactive multi-signatures (MS)
n signatures on same message M
Sign(sk1,M)
s1
(pk1,,pkn), M, s

sn
0/1 ? Verify(pk,M,s)
S ? Agg(s1,, sn)
Sign(skn,M)
  • Goal s lt s1 sn

21
Non-interactive multi-signed data (MSD)
n signatures on same message M
Sign(sk1,M)
S1
S

Sn
(pk,M)/ ? Verify(S)
S ? Agg(S1,, Sn)
-
Sign(skn,M)
  • Goal minimize net overhead S M

22
MSD scheme
Each partial signature contains part of M
H
m1
µ1

M
m2
m3
µ2
µ3
m4
G
G
-1
p
G
1
-1
p
2
-1
p
3
h
m1
S1
S
m2
m3
S2
S3
m4

net overhead 160 bits
  • Who takes which part of M?
  • Fully non-interactive pos hash(pi,M)
  • Known co-signers fixed (e.g. lexicographic) order

23
Comparison of MS(D) schemes
Scheme Based on Overhead( pk) Sign Verify
Bol pairings 160 1 E 2 P n M
LOSSW pairings 320 2 E 160 M 2 P (160n) M
MSD RSA, factoring 160 1024n 160 1 E 2n M 2n M
P pairing E exponentiation M
multiplication n signatures in aggregate
24
Closing remarks
  • In summary propose SAS, SASD, MSD schemes
  • first based on low-exponent RSA and factoring
  • outperform existing schemes in many respects
  • free choice of modulus size
  • work with existing RSA/Rabin keys
  • Tight reduction using Katz-Wang, or next talk
  • Full version ePrint Report 2008/063
Write a Comment
User Comments (0)
About PowerShow.com