07/16/2013 Attila Altay Yavuz Robert Bosch Research and Technology Center Pittsburgh, PA 15203, USA Practical Immutable Signature.

Slides:



Advertisements
Similar presentations
New Publicly Verifiable Databases with Efficient Updates
Advertisements

Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Cryptography and Network Security
Digital Signatures and Hash Functions. Digital Signatures.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
1 Asynchronous Broadcast Protocols in Distributed System Oct. 10, 2002 JaeHyrk Park ICU.
IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.
10/11/2013 Attila Altay Yavuz University of Pittsburgh, School of Information Sciences 135 N. Bellefield Avenue, Pittsburgh, PA 15260
Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups Masayuki Abe, NTT Jens Groth, University College London Kristiyan Haralambiev, NYU.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
1 An Efficient Strong Key-Insulated Signature Scheme and Its Application 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
FIT3105 Smart card based authentication and identity management Lecture 4.
Authentication and Integrity in Outsourced Databases Kanaka Rajanala.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Privacy and Integrity Preserving in Distributed Systems Presented for Ph.D. Qualifying Examination Fei Chen Michigan State University August 25 th, 2009.
DSAC (Digital Signature Aggregation and Chaining) Digital Signature Aggregation & Chaining An approach to ensure integrity of outsourced databases.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
1 Hidden Exponent RSA and Efficient Key Distribution author: He Ge Cryptology ePrint Archive 2005/325 PDFPDF 報告人:陳昱升.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
DSAC (Digital Signature Aggregation and Chaining) Digital Signature Aggregation & Chaining An approach to ensure integrity of outsourced databases.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Research interest: Secure database outsourcing Presented by Alla Lanovenko Thesis Adviser: Professor Huiping Guo 599 A 11 December 2006.
E- Business Digital Signature Varna Free University Prof. Teodora Bakardjieva.
8. Data Integrity Techniques
Bob can sign a message using a digital signature generation algorithm
1 Lect. 15 : Digital Signatures RSA, ElGamal, DSA, KCDSA, Schnorr.
The RSA Algorithm Rocky K. C. Chang, March
Chapter 10: Authentication Guide to Computer Network Security.
CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
1 Role-Based Cascaded Delegation: A Decentralized Delegation Model for Roles Roberto Tamassia Danfeng Yao William H. Winsborough Brown University Brown.
Privacy-Enhanced Data Aggregation Scheme Against Internal Attackers in Smart Grid Haiyong Bao Nanyang Technological University June.
CS 627 Elliptic Curves and Cryptography Paper by: Aleksandar Jurisic, Alfred J. Menezes Published: January 1998 Presented by: Sagar Chivate.
Efficient Sequential Aggregate Signed Data Gregory Neven IBM Zurich Research Laboratory work done while at K.U.Leuven.
02/22/2005 Joint Seminer Satoshi Koga Information Technology & Security Lab. Kyushu Univ. A Distributed Online Certificate Status Protocol with Low Communication.
sec1 IEEE MEDIA INDEPENDENT HANDOVER DCN: sec Title: TGa_Proposal_Antonio_Izquierdo (Protecting the Information Service.
1 Reasoning about Concrete Security in Protocol Proofs A. Datta, J.Y. Halpern, J.C. Mitchell, R. Pucella, A. Roy.
1 Digitally Signed Document Sanitizing Scheme Based on Bilinear Maps Kunihiko Miyazaki, Goichiro Hanaoka, Hideki Imai ASIACCS’06, March 21–24, 2006, Taipei,
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme
Efficient Fork-Linearizable Access to Untrusted Shared Memory Presented by: Alex Shraer (Technion) IBM Zurich Research Laboratory Christian Cachin IBM.
Pairing Based Cryptography Standards Terence Spies VP Engineering Voltage Security
A new provably secure certificateless short signature scheme Authors: K.Y. Choi, J.H. Park, D.H. Lee Source: Comput. Math. Appl. (IF:1.472) Vol. 61, 2011,
By Sandeep Gadi 12/20/  Design choices for securing a system affect performance, scalability and usability. There is usually a tradeoff between.
A New Provably Secure Certificateless Signature Scheme Date: Reporter:Chien-Wen Huang 出處 :2008 IEEE International Conference on Communications.
Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
COM 5336 Lecture 8 Digital Signatures
Manu Drijvers, Joint work with Jan Camenisch, Anja Lehmann. March 9 th, 2016 Universally Composable Direct Anonymous Attestation.
1 The RSA Algorithm Rocky K. C. Chang February 23, 2007.
Pertemuan #8 Key Management Kuliah Pengaman Jaringan.
29/Jul/2009 Young Hoon Park.  M.Bellare, D.Micciancio, B.Warinschi, Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and.
1 Secret Handshakes or Privacy-Preserving Interactive Authentication Gene Tsudik University of California, Irvine joint work with: Claude Castelluccia,
Reporter :Chien-Wen Huang
CS/ECE 578 Cyber-Security
CS/ECE 519/599 Applied Cryptography
Dynamic Authenticated Index Structures for Outsourced Databases
Digital Signature Schemes and the Random Oracle Model
Compact Energy and Delay-Aware Authentication
Oregon State University
Cryptography Lecture 27.
Digital Signature Schemes and the Random Oracle Model
A New Provably Secure Certificateless Signature Scheme
Signature Bouquets: Immutability for Aggregated/Condensed Signatures
Cryptography Lecture 26.
Presentation transcript:

07/16/2013 Attila Altay Yavuz Robert Bosch Research and Technology Center Pittsburgh, PA 15203, USA Practical Immutable Signature Bouquets (PISB) for Authentication and Integrity in Outsourced Databases 6 th ACM Conference on Security and Privacy in Wireless and Mobile Networks 27th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy (DBSec '13)

Motivation Data outsourcing is beneficial, especially for small-medium business Reduces the cost via continuous service, expertise, maintenance/upgrade; Database as a Service (DAS) [1]: Data owners outsource their data to a database service provider (e.g., IBM). Database service provider offers a reliable maintenance and access for the hosted data. Despite its benefits, DAS also brings security and privacy challenges: Privacy versus utilization (e.g., searchable encryption) Access privacy (e.g., ORAM [2]) Authentication and integrity: Immutable digital signatures (e.g., [3,4]) 2 DBSec 2013

A DAS Model and Limitations (I) Model of Hacigumus et al. [1] extended by Mykletun et al. in [3] 3 DBSec 2013 M 1,…,Mn S1, …., Sn - Each tuple in database is M1,…, Mn - Compute signatures S1,…,Sn M 1,…,Mn S1, …., Sn High bandwidth - Semi-trusted entity - Honest service, but compromise? Return tuples {M1,…,Mk} along with S1,…,Sk Verify S1,…,Sk before accepting results - Bandwidth, battery and/or Computation limited queriers A query related to some tuples on the server Each query: O(K) signature transmission Better verification efficiency?

Digression: Aggregate Signatures Given multiple individual signatures and corresponding public key(s), output a single compact (verifiable) signature Condensed-RSA (C-RSA) [3]: Aggregate signatures with the same private key Boneh Lynn Shacham (BLS) [5]: Cryptographic pairing-based, signatures under the different private keys can be aggregated 4 DBSec 2013

A DAS Model and Limitations (II) DAS model of Mykletun et al. in [3] 5 DBSec 2013 M 1,…,Mn S1, …., Sn M 1,…,Mn S1, …., Sn - Each tuple in database is M1,…, Mn - Compute individual signatures S1,…,Sn with Agg High bandwidth - Semi-trusted entity - Bandwidth, battery and/or Computation limited queriers A query related to some tuples on the server Given tuples{M1,…,Mk}, Select corresponding S1,…,Sk S = Agg(S1,…,Sk) Return S as aggregate signature Verify S before accepting results O(1) signature transmission Batch signature verification Problem: Aggregate signatures are mutable

Problem Statement: Signature Mutability Given two C-RSA signatures, it is possible to derive a new valid signature 6 DBSec 2013 Access Control Applications: Colluding clients can elevate access privileges Paid Database Services: Online authorized music album distributor (server), store large database of digitally signed songs. Colluding clients can act as “album distributor” without paying, by mix-matching songs and their signatures. Steal profit of actual distributor. The same applies to BLS signature scheme (aggregation is modular addition).

Limitations of Existing Immutable Signatures Mykletun et al. developed immutable signature schemes in [3,4]. Immutable Condensed RSA (IC-RSA): Hide C-RSA signature Guillou-Quisquater [6] based scheme : Use zero-knowledge to hide C-RSA signature. (+) It is the most computationally efficient variant proposed in [3,4]. (-) Interaction introduces communication overhead and delay, (-) A signature scheme is supposed to be non-interactive! Skroot based scheme: Use “Signature of Knowledge” [7] to hide C-RSA signature (+) Non-interactive, more communication efficient than GQ-based scheme (-) High computational cost and storage cost Immutable BLS Signatures (iBLS) : BLS signature  on m’=(m1,…,ml). Compute a secondary protection signature  on m’, and aggregate  on . (+) Non-interactive and small signature (-) The most computationally costly alternative (due to crypto pairing): Verifier side 7 DBSec 2013

Practical Immutable Signature Bouquets (PISB) (i) PISB Condensed Sequential RSA (PISB-CSA-RSA); (ii) PISB-Generic. Non-Interactive Immutability: Communication efficiency, PISB-CSA-RSA requires 1 KB overhead, while GQ-based in [3,4] requires 9 KB overhead. High Computational Efficiency: PISB-CSA-RSA is up to 40 times faster than iBLS, skroot and GQ based schemes in [3,4]. PISB-Generic offers pre-computability, which is ideal for server to handle requests at peak times. Small Signature Sizes: PISB-CSA-RSA is more communication efficient than GQ and skroot based schemes in [3,4]. PISB-Generic is more efficient than PISB-CSA-RSA, and it is comparable to iBLS [3,4]. Low End-to-End Delay: Much faster response time based on the above properties. Provable Security: PISB schemes are only immutable signatures with formal proofs. 8 DBSec 2013

PISB-CSA-RSA Scheme (Intuition) Recall iBLS signatures [3,4]: Server computes a protection signature  over queried data items, and aggregate  on the original aggregate signature . Limitation of IC-RSA: IC-RSA cannot aggregate signatures of data owner and clients. The same modulo n cannot be shared among multiple signers (expose key [8]). Objective: Server and data owner jointly compute a single compact RSA signature, such that server can aggregate C-RSA signature and his protection RSA signature. Observation: Sequential Aggregate RSA (SA-RSA) [9] can help! (Simplified below) 9 DBSec 2013

PISB-CSA-RSA Scheme (Detailed) 10 DBSec 2013

PISB-Generic Scheme (Intuition) Do we have to aggregate protection signature? Power of Simplicity: Server just computes a standard signature  on the aggregate signature , and define the final signature as a pair ( ,  ). Seems communication inefficient as it is not “fully aggregate”. However: ECDSA + (BLS or C-RSA ) combination is much more communication and computation efficient than Skroot and GQ schemes in [3,4]. Flexible: Allows cross data owners queries, protection signature can be any signature such as offline/online signature [10], token-ECDSA [11]. However, PISB-CSA-RSA outperforms PISB-Generic for various performance metrics. 11 DBSec 2013

PISB-Generic Scheme (Detailed) 12 DBSec 2013

Performance Analysis 13 DBSec 2013 Estimated execution times (l = 10 query elements, in ms) are measured on a computer with an Intel(R) Core(TM) i7 Q720 at 1.60GHz CPU and 2GB RAM running Ubuntu We used MIRACL library. PISB Generic is implemented with ECDSA + BLS with pre-computed parameters End-to-end delay: Sign + Verify + transmission (remote client –server) ~40 times more efficient Small signature Overall the most versatile choice Non-cross signer Best for server Cross signer Not ideal for verifier Offline/online ECDSA+C-RSA

Security Analysis Immutable Existential Unforgeability under Chosen Message Attack (I-EU-CMA) for PISB: 14 DBSec 2013 I-EU-CMA is an extension of EU-CMA such that adversary wins if the forgery is a combination or subset of queried messages (i.e., signature mutations). A vector of messages Winning condition

Security Analysis (Cont’) 15 DBSec 2013 Any forgery on  also requires forging protection signature s’. Generating mutable signature on  requires forging s’. Simulation is indistinguishable. Theorem 1. PISB-Generic is (t, qs,  )-I-EU-CMA secure, if ASig is (t’, qs,  )-EU- CMA secure and Sig is (t’, qs,  )-EU-CMA secure, where t’= O(t) + qs(Op + Op’) and (Op,Op’) are the cost of signing for ASig and Sig, respectively. Theorem 2. PISB-CSA-RSA is (t, qs,  )-I-EU-CMA secure, if RSA is (t’, (2l)  qs,  )-EU-CMA secure, where t’= O(t) + (2l)  qs  Exp, where l and Exp denote the modular exponentiation and number of messages in a single query, respectively. Forging sequential aggregate RSA signature  is as difficult as forging RSA.  is on, producing subset/combination requires forging RSA, individual forgery of data items require forging  thereby forging RSA. Given two RSA signature oracles (O1,O2), simulator generates PISB-CSA-RSA signatures by computing a C-RSA signature via O1 and a SA-RSA signature via O2. Simulation is indistinguishable.

Conclusion PISB schemes are efficient immutable signatures for outsourced databases PISB-CSA-RSA Very low client computational overhead Compact constant size signature, no interaction Suitable choice for resource-limited clients PISB-Generic Very simple, various options Cross signer aggregation is possible More efficient than previous alternatives: Simplicity Provable security guarantee 16 DBSec 2013

17

DBSec 2013 References 18 [1] Hacigumus, H., Iyer, B., Mehrotra, S.: Providing database as a service. In: Proceedings of the 18th International Conference on Data Engineering, ICDE 2002, Washington, DC, USA, pp. 29–38 (2002) [2] Goodrich, M.T., Mitzenmacher, M., Ohrimenko, O., Tamassia, R.: Privacy-preserving group data access via stateless oblivious ram simulation. Proc. of the Twenty-Third Annual ACM-SIAM Symposium on Discrete Algorithms (SODA), pp. 157–167 (2012) [3] Mykletun, E., Narasimha, M., Tsudik, G.: Authentication and integrity in outsourced databases. Transaction on Storage (TOS) 2(2), 107–138 (2006) [4] Mykletun, E., Narasimha, M., Tsudik, G.: Signature bouquets: Immutability for aggregated/condensed signatures. In: Samarati, P., Ryan, P.Y.A., Gollmann, D., Molva, R. (eds.) ESORICS LNCS, vol. 3193, pp. 160–176. Springer, (2004) [5] Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and verifiably encrypted signatures from bilinear maps. In: Biham, E. (ed.) EUROCRYPT LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003) [6] Guillou L., Quisquater, J.: A “Paradoxical” Identity-Based Signature Scheme Resulting from Zero-Knowledge. Advances in Cryptology - Crypto (1998) 216–231 [7] Camenisch, J., Stadler, M.: Efficient Group Signature Schemes for Large Groups. Advances in Cryptology - Crypto (1997). [8] Ding, X., Tsudik, G.: Simple identity-based cryptography with mediated rsa. In: Joye, M. (ed.) CT-RSA LNCS, vol. 2612, pp. 193–210. Springer, Heidelberg (2003) [9] Lysyanskaya, A., Micali, S., Reyzin, L., Shacham, H.: Sequential aggregate signatures from trapdoor permutations. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT LNCS, vol. 3027, pp. 74–90. Springer, Heidelberg (2004) [10] Catalano, D., Di Raimondo, M., Fiore, D., Gennaro, R.: Off-line/on-line signatures: Theoretical aspects and experimental results. In: Cramer, R. (ed.) PKC LNCS, vol. 4939, pp. 101–120. Springer, Heidelberg (2008) [11] D. Naccache, D. M’Raïhi, S. Vaudenay, and D. Raphaeli. Can D.S.A. be improved? Complexity trade-offs with the digital signature standard. In Proc. of the 13th International Conference on the Theory and Application of Cryptographic Techniques (EUROCRYPT ’94), pages 77–85, 1994

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.