IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.

Slides:

Advertisements

Similar presentations

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.

Advertisements

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written.

BY JYH-HAW YEH COMPUTER SCIENCE DEPT. BOISE STATE UNIVERSITY Proxy Credential Forgery Attack to Two Proxy Signcryption Schemes.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

Digital Signatures. Anononymity and the Internet.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.

A novel and efficient unlinkable secret handshakes scheme Author: Hai Huang and Zhenfu Cao (PR China) Source: IEEE Comm. Letters 13 (5) (2009) Presenter:

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

Unlinkable Secret Handshakes and Key-Private Group Key Management Schemes Author: Stanislaw Jarecki and Xiaomin Liu University of California, Irvine From:

1 CPSC156: The Internet Co-Evolution of Technology and Society Lectures 19,20, and 21: April 5, 10, and 12, 2007 Cryptographic Primitives.

Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.

Security Management.

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

Diffie-Hellman Key Exchange

Computer Science Public Key Management Lecture 5.

Introduction to Public Key Cryptography

Public Key Model 8. Cryptography part 2.

8. Data Integrity Techniques

Chapter 5 Digital Signatures MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI 1.

Bob can sign a message using a digital signature generation algorithm

ID-Based Encryption for Complex Hierarchies with Applications to Forward Security and Broadcast Encryption Danfeng Yao Nelly Fazio Brown University New.

Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.

1 Role-Based Cascaded Delegation: A Decentralized Delegation Model for Roles Roberto Tamassia Danfeng Yao William H. Winsborough Brown University Brown.

An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to Outsourced Data Chuang Wang a,b and Wensheng Zhang a a Department of Computer.

Anonymous Identification in Ad Hoc Groups New York, NY, USAApril 6 th, 2004 Yevgeniy Dodis, Antonio Nicolosi, Victor Shoup

Public-Key Cryptography CS110 Fall Conventional Encryption.

Topic 22: Digital Schemes (2)

Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.

Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.

Introduction1-1 Data Communications and Computer Networks Chapter 6 CS 3830 Lecture 31 Omar Meqdadi Department of Computer Science and Software Engineering.

Basic Cryptography 1. What is cryptography? Cryptography is a mathematical method of protecting information –Cryptography is part of, but not equal to,

Cryptography and Network Security (CS435) Part Eight (Key Management)

Cryptography and Network Security Chapter 13 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Public Key Encryption with keyword Search Author: Dan Boneh Rafail Ostroversity Giovanni Di Crescenzo Giuseppe Persiano Presenter: 陳昱圻.

Fall 2010/Lecture 321 CS 426 (Fall 2010) Key Distribution & Agreement.

Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.

Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.

Linkability of Some Blind Signature Schemes Swee-Huay Heng 1, Wun-She Yap 1 Khoongming Khoo 2 1 Multimedia University, 2 DSO National Laboratories.

Digital Signatures, Message Digest and Authentication Week-9.

WISTP’08 ©LAM /05/2008 A Self-Certified and Sybil-Free Framework for Secure Digital Identity Domain Buildup Christer Andersson Markulf Kohlweiss.

1 Normal executable Infected executable Sequence of program instructions Entry Original program Entry Jump Replication and payload Viruses.

Cryptanalysis of Some Proxy Signature Schemes without Certificates Wun-She Yap, Swee-Huay Heng Bok-Min Goi Multimedia University.

1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,

Identity based signature schemes by using pairings Parshuram Budhathoki Department of Mathematical Science FAU 02/21/2013 Cyber Security Seminar, FAU.

A new provably secure certificateless short signature scheme Authors: K.Y. Choi, J.H. Park, D.H. Lee Source: Comput. Math. Appl. (IF:1.472) Vol. 61, 2011,

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Cryptographic Security Identity-Based Encryption.

A Simple Traceable Pseudonym Certificate System for RSA-based PKI SCGroup Jinhae Kim.

Computer and Network Security - Message Digests, Kerberos, PKI –

Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.

Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

ICICS2002, Singapore 1 A Group Signature Scheme Committing the Group Toru Nakanishi, Masayuki Tao, and Yuji Sugiyama Dept. of Communication Network Engineering.

1 Chapter 3-3 Key Distribution. 2 Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution.

1 Introduction to Information Security , Spring 2016 Lecture 4: Applied cryptography: asymmetric Zvi Ostfeld Slides credit: Eran Tromer.

SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.

Pertemuan #8 Key Management Kuliah Pengaman Jaringan.

Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.

29/Jul/2009 Young Hoon Park.  M.Bellare, D.Micciancio, B.Warinschi, Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and.

1 Secret Handshakes or Privacy-Preserving Interactive Authentication Gene Tsudik University of California, Irvine joint work with: Claude Castelluccia,

Cryptography and Network Security Chapter 13

CS480 Cryptography and Information Security Huiping Guo Department of Computer Science California State University, Los Angeles 14. Digital signature.

Digital Signatures.

Author : Guilin Wang Source : Information Processing Letters

Presentation transcript:

IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with Roberto Tamassia NSF grants CCF– , CNS– and IIS–

Outline  Motivation for anonymity and aggregation  Construction of Anonymous-Signer Aggregate Signature Scheme  Security properties of the scheme  Applications

Digital credential  Digital credential is signed by the issuer with a digital signature scheme To certify the credential holder To certify the credential holder  Digital signature scheme Signing uses the private key Signing uses the private key Verification uses the public key Verification uses the public key Bob is a university Bob is a universityprofessor Public key Private key Bob University’s signature Public key Private key Bob’s credential University The credential can be verified against university’s public key

Motivation: Anonymous authorization Bank  Group signature schemes [Chaum van Heijst 91, Ateniese Camenisch Joye Tsudik 00, Boneh Boyen Shacham 04, Camenisch Lysyanskaya 04] [Chaum van Heijst 91, Ateniese Camenisch Joye Tsudik 00, Boneh Boyen Shacham 04, Camenisch Lysyanskaya 04] Support anonymity Support anonymity Bank cashiers 2. Request to sign Cashier’s check 1. Certify membership 3. Authorization

Motivation: Aggergation 1. Request 2. Authorization 3. Authorization 4. Authorization [Boneh Gentry Shacham Lynn 03]

Our goal: Aggregate anonymous signatures  Signing anonymity  Signature aggregation Aggregate Signature Delegation Signatures Aggregate

Anonymous authorization chain 1. Request 2. Authorization 3. Authorization 4. Authorization

Anonymous-signer aggregate signature scheme  Properties Aggregation: Bob’s signature can be added with Alice’s Aggregation: Bob’s signature can be added with Alice’s Anonymity: No one can tell that a signature is from Bob Anonymity: No one can tell that a signature is from Bob Unlinkability: No one can tell that two signatures are from Bob Unlinkability: No one can tell that two signatures are from Bob Non-framing: Alice cannot sign on behalf of Bob Non-framing: Alice cannot sign on behalf of Bob Traceability: Bob’s boss can find out that Bob is the signer Traceability: Bob’s boss can find out that Bob is the signer  Existing signature schemes do not satisfy all the requirements Aggregate signature scheme Aggregate signature scheme Group signature scheme Group signature scheme  Challenge: extending existing schemes is non-trivial

Aggregate signature scheme  Aggregate signature scheme [Boneh Gentry Shacham Lynn 03] The size of signatures and public keys 170 bits with security comparable to 1024 bit RSA and 320 bit DSA schemes The size of signatures and public keys 170 bits with security comparable to 1024 bit RSA and 320 bit DSA schemes  Verification is linear in the number of individual signatures Bob PK 1,SK 1 PK 1,SK 1 Alice PK 2,SK 2 PK 3,SK 3 Sign m 1 Sign m 1 S1S1S1S1 Sign m 2 Sign m 2 S2S2S2S2 S3S3S3S3 Bob aggregates + + = How to make the aggregate signature scheme support anonymity? Sign m 3 Sign m 3 Eve S2S2S2S2 S1S1S1S1 S3S3S3S3 SASASASA

An attempt to support anonymity using the existing aggregate signatures  Signers sign with certified one-time signing keys Does not satisfy the non-framing requirement! Cashier picks (one-time) pub/private key pair One-time member certificate Bank admin Authenticates and sends Certifies with aggregate signature SmSm SmSm Signs and aggregates Please sign my check ScSc + = SaSa Verifies with signing keys SaSa Pub key Private Key

Our solution: anonymous-signer aggregate signature scheme  Signing key has two parts Long-term public key certified by CA Long-term public key certified by CA Random one-time secret Random one-time secret Combined to become the signing key Combined to become the signing key  Supports Signature aggregation Signature aggregation Anonymous authorization Anonymous authorization  Based on the aggregate signature scheme [Boneh Gentry Shacham Lynn 03]  Standard assumptions for pairing-based cryptography

Overview: Anonymous-signer aggregate signature scheme Long-termpublic-key Public-key certificate Trusted third-party Certifies with aggregate signature CkCkCkCk One-time secret secret One-time member certificate Bank admin Certifies with aggregate signature SmSmSmSm Cannot frame others Combine SmSmSmSm Aggregates Please sign my check ScScScSc + = SaSaSaSa Verifies with signing key SaSaSaSa Signs with

Entities and Operations in Our Scheme  Entities Role manager (cashier in this talk) Role manager (cashier in this talk) Role member (bank admin in this talk) Role member (bank admin in this talk)  Setup: Each entity chooses long-term public/private key pair  Join: A user becomes a role member Obtains membership certificates Obtains membership certificates  Sign: An entity signs on behalf of the role Operation Sign produces a role signature Operation Sign produces a role signature  Aggregate: Multiple role signatures are aggregated  Verify: Aggregate role signatures are verified  Open: A role manager revokes the anonymity of a signer by revealing his or her identity

Some math about the operations Private key s u Public key P u = s u  One-time signing secret x u One-time signing public key s u x u  One-time signing public key s u x u   Public parameter  Public parameter SmSm s a H( ) Private key s a Public key P a = s a  Certifies Obtains SaSa Verifies ScSc Signature s u x u H(m) + = SaSa ScSc SmSm Aggregates SaSa Role signature; may be aggregated further with others Framing is hard – equivalent to computational Diffie-Hellman Problem

Security Our anonymous-signer aggregate signature scheme satisfies the following requirements: Our anonymous-signer aggregate signature scheme satisfies the following requirements:correctness,unforgeability,anonymity,unlinkability,traceability,non-framing,coalition-resistance, and aggregation assuming assuming random oracle model, bilinear map, and gap groups.

An application: Anonymous role-based delegation The access to the digital library at a hospital is controlled Bob is a university professor and can access Bob can access Researchers at a company collaborate with Bob Need to access Collaborate Engineers at a lab collaborate with researchers Need to access Collaborate Hospital’s policy University prof. can access

Another application: Protecting whistleblower  Protects the identity of whistleblowers The verifier only knows that the whistleblower is a certified FBI agent or a New York Times reporter The verifier only knows that the whistleblower is a certified FBI agent or a New York Times reporter  Supports efficiently certification of a series of reports Signed reports of whistleblower(s) Enron scandal: day 101 Enron scandal: day 102 Enron scandal: day 103 Aggregated signature … S2S2S2S2 S1S1S1S1 S3S3S3S3 SASASASA

Non-framing property  Our scheme protects a cashier from being framed by anyone including bank admin  Consider a simple attack by an admin Picks random x* and s* and uses x*s* to sign Picks random x* and s* and uses x*s* to sign  Admin cannot misattribute a signature to a cashier u u with pub key P u = s u  u with pub key P u = s u  e(s*x* ,  ) ≠ e(P u, x*  ) e(s*x* ,  ) ≠ e(P u, x*  )  In general, framing is equivalent to Computing b , given q, a , and c  such that Computing b , given q, a , and c  such that ab = c mod q known equivalence to CDH problem [Chen Zhang Kim 03]