The Generic Transformation from Standard Signatures to Identity-Based Aggregate Signatures Bei Liang, Hongda Li, Jinyong Chang.

Slides:



Advertisements
Similar presentations
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Advertisements

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.
New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.
Encryption Public-Key, Identity-Based, Attribute-Based.
Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.
Public Key Cryptography in the Bounded Retrieval Model Based on joint works with Joël Alwen, Moni Naor, Gil Segev, Shabsi Walfish and Daniel Wichs Crypto.
S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.
IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.
Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups Masayuki Abe, NTT Jens Groth, University College London Kristiyan Haralambiev, NYU.
Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.
Cryptography for Backup Navigation
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 15 Jonathan Katz.
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
1 Intro To Encryption Exercise Analyze the following scenario: Sender:  Cipher1= Encrypt message with symmetric key algorithm  RSA_Encrypt (SHA1(message)
Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group
1 CPSC156: The Internet Co-Evolution of Technology and Society Lectures 19,20, and 21: April 5, 10, and 12, 2007 Cryptographic Primitives.
CMSC 414 Computer and Network Security Lecture 23 Jonathan Katz.
Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.
Remarks on Voting using Cryptography Ronald L. Rivest MIT Laboratory for Computer Science.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
Computer Science Public Key Management Lecture 5.
8. Data Integrity Techniques
CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)
Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN.
Presented by Mike Scott
Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.
ON CONTINUAL LEAKAGE OF DISCRETE LOG REPRESENTATIONS Shweta Agrawal IIT, Delhi Joint work with Yevgeniy Dodis, Vinod Vaikuntanathan and Daniel Wichs Several.
Rennes, 23/10/2014 Cristina Onete Graded Exercises & Authentication.
EE515/IS523 Think Like an Adversary Lecture 4 Crypto in a Nutshell Yongdae Kim.
P1. Public-Key Cryptography and RSA 5351: Introduction to Cryptography Spring 2013.
Review of Certificateless Cryptography Yu-Chi Chen.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Key-Policy Attribute-Based Encryption Present by Xiaokui.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
1 Reasoning about Concrete Security in Protocol Proofs A. Datta, J.Y. Halpern, J.C. Mitchell, R. Pucella, A. Roy.
Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research.
1 Lossy Trapdoor Functions and Their Applications Brent Waters SRI International Chris Peikert SRI International.
Polynomially Homomorphic Signatures Dan Boneh Stanford University Joint work with David Freeman.
Identity based signature schemes by using pairings Parshuram Budhathoki Department of Mathematical Science FAU 02/21/2013 Cyber Security Seminar, FAU.
A new provably secure certificateless short signature scheme Authors: K.Y. Choi, J.H. Park, D.H. Lee Source: Comput. Math. Appl. (IF:1.472) Vol. 61, 2011,
Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit.
Aggelos Kiayias, Nikos Leonardos, Helger Lipmaa, Kateryna Pavlyk and Qiang Tang Estonian Theory Days, Oct 2, 2015.
A New Provably Secure Certificateless Signature Scheme Date: Reporter:Chien-Wen Huang 出處 :2008 IEEE International Conference on Communications.
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Security-Preserving Operations on Big Data Algorithms for Big Data, Frankfurt, September, 2014.
1 Efficient Ring Signatures Without Random Oracles Hovav Shacham and Brent Waters.
CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016.
1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.
1 Lossy Trapdoor Functions and Their Applications Brent Waters SRI International Chris Peikert SRI International.
1 Compact Group Signatures Without Random Oracles Xavier Boyen and Brent Waters.
Security Proofs for Identity-Based Identification and Signature Schemes Mihir Bellare University of California at San Diego, USA Chanathip Namprempre Thammasat.
ICICS2002, Singapore 1 A Group Signature Scheme Committing the Group Toru Nakanishi, Masayuki Tao, and Yuji Sugiyama Dept. of Communication Network Engineering.
Online/Offline Attribute-Based Encryption Brent WatersSusan Hohenberger Presented by Shai Halevi.
Deniable Functional Encryption PKC 2016 Academia Sinica, Taipei, TAIWAN March 6-9, 2016 Angelo de Caro 1, Vincenzo Iovino 2, Adam O’Neill 3 1 IBM Research,
| TU Darmstadt | Andreas Hülsing | 1 W-OTS + – Shorter Signatures for Hash-Based Signature Schemes Andreas Hülsing.
Bounded key-dependent message security
Boneh-Franklin Identity Based Encryption Scheme
Certificateless signature revisited
Digital Signature Schemes and the Random Oracle Model
Cryptography Lecture 26.
Digital Signature Schemes and the Random Oracle Model
Cryptography for Quantum Computers
Rishab Goyal Venkata Koppula Brent Waters
A New Provably Secure Certificateless Signature Scheme
Leakage-resilient Signatures
Lossy Trapdoor Functions and Their Applications
The power of Pairings towards standard model security
Cryptography Lecture 22.
On the (Im)possibility of Blind Message Authentication Codes
Cryptography Lecture 26.
How to Use Charm Crypto Lib
Presentation transcript:

The Generic Transformation from Standard Signatures to Identity-Based Aggregate Signatures Bei Liang, Hongda Li, Jinyong Chang

Identity-Based Aggregate Signatures

PK MSK

Identity-Based Aggregate Signatures Bob id 1 Alice id 2 id 3 Eve PK MSK

Identity-Based Aggregate Signatures Bob id 1 SK 1 Alice id 2 SK 2 id 3 SK 3 Eve PK MSK

Identity-Based Aggregate Signatures Bob id 1 SK 1 Alice id 2 SK 2 id 3 SK 3 Sign m 1 Sign m 1 S1S1S1S1 Sign m 2 Sign m 2 S2S2S2S2 S3S3S3S3 Sign m 3 Sign m 3 Eve PK MSK

Identity-Based Aggregate Signatures Bob id 1 SK 1 Alice id 2 SK 2 id 3 SK 3 Sign m 1 Sign m 1 S1S1S1S1 Sign m 2 Sign m 2 S2S2S2S2 S3S3S3S3 Sign m 3 Sign m 3 Eve PK MSK m 1, m 2, m 3 Prove that Bob, Alice and Eve indeed sign the message m 1, m 2, m 3 respectively S2S2S2S2 S1S1S1S1 S3S3S3S3

Identity-Based Aggregate Signatures Bob id 1 SK 1 Alice id 2 SK 2 id 3 SK 3 Sign m 1 Sign m 1 S1S1S1S1 Sign m 2 Sign m 2 S2S2S2S2 S3S3S3S3 Sign m 3 Sign m 3 Eve PK MSK Identity-Based Aggregate Signatures. Gentry and Ramzan. PKC 2006 Identity-Based Aggregate Signatures. Gentry and Ramzan. PKC 2006

Identity-Based Aggregate Signatures Bob id 1 SK 1 Alice id 2 SK 2 id 3 SK 3 Sign m 1 Sign m 1 S1S1S1S1 Sign m 2 Sign m 2 S2S2S2S2 S3S3S3S3 Sign m 3 Sign m 3 Eve PK MSK SASASASA Aggregator

Identity-Based Aggregate Signatures Bob id 1 SK 1 Alice id 2 SK 2 id 3 SK 3 Sign m 1 Sign m 1 S1S1S1S1 Sign m 2 Sign m 2 S2S2S2S2 S3S3S3S3 Sign m 3 Sign m 3 Eve PK MSK SASASASA Aggregator

Identity-Based Aggregate Signatures IBAS [GR06] PKC 06 IBAS [GR06] PKC 06 Sequential IBAS. [BGN+06] CCS 07 IBAS (with same common token) [BJ10] PKC 10 Unrestricted IBAS. [HSW13] CRYPTO 13

Identity-Based Aggregate Signatures IBAS are restricted to: share a common token e.g., where a set of signatures can only be aggregated if they were created with the same common token require sequential additions e.g., where a group of signers sequentially form an aggregate by each adding their own signature to the aggregate-so-far IBAS are restricted to: share a common token e.g., where a set of signatures can only be aggregated if they were created with the same common token require sequential additions e.g., where a group of signers sequentially form an aggregate by each adding their own signature to the aggregate-so-far

Identity-Based Aggregate Signatures How to achieve identity-based aggregate signatures from standard signatures?

Overview of our Approach Standard signature scheme Identity-based signature Identity-based aggregate signature Universal samplers [HJK+14] Indistinguishability obfuscation [HKW14]

Our Construction Standard signature scheme Identity-based aggregate signature* UP + iO + OWFs *: n-bounded IBAS, e.g. at most n signature can be aggregated.

Our Construction Standard signature scheme Identity-based aggregate signature* UP + iO + OWFs selective *: n-bounded IBAS, e.g. at most n signature can be aggregated.

Our Construction Standard signature scheme Identity-based aggregate signature* UP + iO + OWFs selective wCCA PKE Homomorphic encryption (puncturable) PRFs Ingredients *: n-bounded IBAS, e.g. at most n signature can be aggregated.

Our Construction IBAS.Setup 1. HE.Setup (pk HE, sk HE ), HE.Enc(pk HE,0) ct i ; 2. PKE.Setup (pk, sk), PRF key K, universal parameter U ; 3. Creat program P 0, iO(P 1 ), iO(P 2 ) ; 4. Output public parameters PP=(pk HE, U, P 0, iO(P 1 ), iO(P 2 )), master secret key msk=sk ; P 0 1. SIG.Setup(r 0 ) (vk SIG, sk SIG ), PKE.Enc(pk, sk SIG ; r 1 ) c ; 2. Output (vk SIG, c); r=r 0 ||r 1 Hardwire: pk

Our Construction P 0 1. SIG.Setup(r 0 ) (vk SIG, sk SIG ), PKE.Enc(pk, sk SIG ; r 1 ) c ; 2. Output (vk SIG, c); r=r 0 ||r 1 IBAS.KeyGen(sk,id) 1. InduceGen(U, P 0 ||id) (vk id, c id ); 2. Return PKE.Dec(sk, c id ) sk id ; Hardwire: pk

Our Construction P 0 1. SIG.Setup(r 0 ) (vk SIG, sk SIG ), PKE.Enc(pk, sk SIG ; r 1 ) c ; 2. Output (vk SIG, c); r=r 0 ||r 1 IBAS.Sign(sk id,m) 1. SIG.Sign(sk id, m) σ ; 2. Return σ; IBAS.KeyGen(sk,id) 1. InduceGen(U, P 0 ||id) (vk id, c id ); 2. Return PKE.Dec(sk, c id ) sk id ; Hardwire: pk

Our Construction IBAS.Aggregate(PP,{(id i,m i ), σ i } i ) 1. InduceGen(U, P 0 ||id i ) (vk i, c i ) ; 2. Return iO(P 1 )({vk i,(id i,m i ),σ i } i ) ; {vk i, (id i,m i ), σ i } i P 1 1. Compute t= σ 1 ·ct 1 + · · ·+ σ n ·ct n ; 2. Compute s i =F(K, vk i ||id i ||m i ||i||t) ; 3. Output σ agg =(t, ⊕ i s i ); Hardwire: K, ct 1,…,ct n

Our Construction IBAS.Verify(PP,{(id i,m i )} i, σ agg =(t,s)) 1. InduceGen(U, P 0 ||id i ) (vk i, c i ) ; 2. Return iO(P 2 )({vk i,(id i,m i )} i, σ agg ); {vk i, (id i,m i )} i, σ agg =(t,s) P 2 1. Compute s’=⊕ i F(K, vk i ||id i ||m i ||i||t) ; 2. Output 1 if s’= s, else output 0 ; Hardwire: K

Security Proof idea (id*, m*) (pk HE, sk HE ), (pk, sk), U, K, ct 1 =HE.Enc(0), … ct n =HE.Enc(0), P 0, iO(P 1 ), iO(P 2 ) P=(U, P 0, iO(P 1 ), iO(P 2 )) id sk id id, m σ (id 1, m 1 ),…, (id*,m*),…,(id n, m n ) σ* agg Attacker wins if: id*, m* not queried Verify({ (id 1, m 1 )} i, σ* agg )=1 Game-0

Security Proof idea (id i*, m i* ) (pk HE, sk HE ), (pk, sk), U, K, ct 1 =HE.Enc(0), … ct n =HE.Enc(0), P 0, iO(P 1 ), iO(P 2 ) P=(U, P 0, iO(P 1 ), iO(P 2 )) id sk id id, m σ (id 1, m 1 ),…, (id i*, m i* ),…,(id n, m n ) σ* agg Attacker wins if: id*, m* not queried Verify({ (id 1, m 1 )} i, σ* agg )=1 Game-1

Security Proof idea (id i*, m i* ) (pk HE, sk HE ), (pk, sk), U, K, ct 1 =HE.Enc(0),… ct i* =HE.Enc(1),… ct n =HE.Enc(0), P 0, iO(P 1 ), iO(P 2 ) P=(U, P 0, iO(P 1 ), iO(P 2 )) id sk id id, m σ (id 1, m 1 ),…, (id i*, m i* ),…,(id n, m n ) σ* agg Attacker wins if: id*, m* not queried Verify({ (id 1, m 1 )} i, σ* agg )=1 Game-2

Security Proof idea (id i*, m i* ) (pk HE, sk HE ), (pk, sk), K, U=SimUGen(vk i*, c i* ) ct 1 =HE.Enc(0),… ct i* =HE.Enc(1),… ct n =HE.Enc(0), P 0, iO(P 1 ), iO(P 2 ) P=(U, P 0, iO(P 1 ), iO(P 2 )) id sk id id, m σ (id 1, m 1 ),…, (id i*, m i* ),…,(id n, m n ) σ* agg Attacker wins if: id*, m* not queried Verify({ (id 1, m 1 )} i, σ* agg )=1 Game-3 (vk i*, sk i* ) SIG.Setup, c i* PKE.Enc(sk i* )

Security Proof idea (id i*, m i* ) (pk HE, sk HE ), (pk, sk), K, U=SimUGen(vk i*, c i* ) ct 1 =HE.Enc(0),… ct i* =HE.Enc(1),… ct n =HE.Enc(0), P 0, iO(P 1 ), iO(P 2 ) P=(U, P 0, iO(P 1 ), iO(P 2 )) id sk id id, m σ (id 1, m 1 ),…, (id i*, m i* ),…,(id n, m n ) σ* agg Attacker wins if: id*, m* not queried Verify({ (id 1, m 1 )} i, σ* agg )=1 Game-4 vk i*, c i* PKE.Enc(1)

Security Proof idea (id i*, m i* ) (pk HE, sk HE ), (pk, sk), K, U=SimUGen(vk i*, c i* ) ct 1 =HE.Enc(0),… ct i* =HE.Enc(1),… ct n =HE.Enc(0), P 0, iO(P* 1 ), iO(P* 2 ) P=(U, P 0, iO(P* 1 ), iO(P* 2 )) id sk id id, m σ (id 1, m 1 ),…, (id i*, m i* ),…,(id n, m n ) σ* agg Attacker wins if: id*, m* not queried Verify({ (id 1, m 1 )} i, σ* agg )=1 Game-5 vk i*, c i* PKE.Enc(1) (m i*, HE.Dec(sk HE,t*)) Unforgeability of signature scheme

THANK YOU!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.