1 Sequential Aggregate Signatures and Multisignatures Without Random Oracles Steve Lu, Rafail Ostrovsky, Amit Sahai, Hovav Shacham, and Brent Waters
2 Secure BGP BGP “Speakers” send path updates messages S-BGP sequence of messages + sigs. 4096 byte size limit (M1, 1 ) (M1, 1 ), (M2, 2 ) (M1, 1 ), (M2, 2 ), (M3, 3 )
3 Aggregate Sigs [BGLS03] SignAggregate
4 Aggregate Signatures [BGLS03] A single short aggregate provides nonrepudiation for many different messages under many different keys More general than multisignatures Applications: X.509 certificate chains Secure BGP route attestations PGP web of trust Verisign Versign Europe NatWest NatWest WWW
5 BGLS Aggregate Sigs BLS Sigs: PK = g a SK=a Sign(SK,M): =H(M) a Verify(PK,M, ): e( ,g)=e( H(M), PK) Secure in R.O. Model --- Deterministic Signatures
6 BGLS Aggregate Sigs PK i = g a i SK i =a i Sign(SK i,M i ): i =H(M ) i Aggregate( 1,… n ): *= i=1… i Verify(PK i,M 1,…,M n, *): e( *,g)= i=1,…n e( H(M i ), PK i ) Verification requires n pairings
7 Difficulty w/o Random Oracles Known efficient signatures have a random component Strong RSA sigs[GHR’ 99, CS’99] B-Map [BB’04,CL’04.W’05] Tree- sigs Difficult to aggregate Independent signatures => Independent randomness
8 Sequential Aggregates [LMRS’04] Signing and Aggregation are a single operation Inherently sequenced; not appropriate for PGP Sign and Aggregate
9 Our Approach Build from W’05 signatures Signer uses same randomess from previous sig Then re-randomizes
10 Our Aggregate Sigs W’05 Sigs: PK = e(g,g) a,h, u 1,…,u m SK=a Sign(SK,M): =( ’, ’’)=g a (h i=1,…m u M i ) r, g -r Verify(PK,M, ): e( ’,g) e( ’’, h i=1,…m u M i )=e(g,g) a Secure w/o R.O.s
11 Our Aggregate Sigs PK i = e(g,g) a i,h i =g y i ’, u i,1 =g y i,1 …,u m, =g y i,m SK =a i,y i ’, y i,1,…,y i,m Agg(SK i,M i, *= 1, 2 ): x=DL(h j=1,…m u M i,j ) =( ’, ’’)=g a 2 x 1, 2 Verify(PK,M 1,…M n, *=( ’, ’’)): e( ’,g) e( ’’, i 1…n h j j=1,…m u M i,j )= i=1…n e(g,g) a i Know DL PK
12 Comparisons SchemeR.O.SequentialSizeVer.Sign BGLSYESNO160 bits n+1 parings 1 exp. LMRS-2YES 1024 bits 4 mult.Ver. + 1 exp. OursNOYES320 bits 2 pairingsVer. + 1 exp. Shorter than LMRSFaster Ver. than BGLS
13 Summary and Open Problems Sequential Aggregate Signatures w/o R.O. Use same randomness sequentially Arguably better Performance than R.O. schemes Multi-Sigs and Verifiable Enc. Sigs Shorter Public Parameters Certificate Chains Full Aggregate Signatures
14 THE END
15 Sequential Aggregate Chosen- Key Model Nontriviality: σ * is a valid sequential aggregate challenge key pk = pk j * for some j; No oracle query at pk 1 *,…,pk j *;M 1 *,…,M j *. Adversary AggSign() oracle