Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.

Published byStephan Culverson Modified over 10 years ago

Similar presentations

Presentation on theme: "Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups."— Presentation transcript:

1 Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups

2  Message authenticity Cristina Onete || 24/10/2014 || 2 AmélieBaptiste Baptiste is waiting for a message from Amélie  Message authenticity How can he make sure it’s really from her?

3  Why sign  More importantly: Telling good content from bad updates virus definitions Baptiste malware trojans viruses Updates vs. malware and trojans Message should be sent by authorized party Cristina Onete || 24/10/2014 || 3

4  So far: MACs AmélieBaptiste Shared  Message authentication codes Usually implemented as a keyed hash function MSCheme = (KGen, MAC, Vf) Repudiation: anyone with sk can generate a tag (at least two people) Cristina Onete || 24/10/2014 || 4

5  Now: PK digital signatures AmélieBaptiste A  SScheme = (KGen, Sign, Vf) Anyone can verify the signature! Non-repudiation: signer can never deny generating a real signature Cristina Onete || 24/10/2014 || 5

6  Contents  Signatures vs. PK Encryption A common misconception The Hash and Sign method  Privacy-preserving signatures Ring signatures Signature Scheme security Group signatures Rings vs. Groups

7  Common misconception AmélieBaptiste AmélieBaptiste Public-Key Encryption Digital Signatures BA Secret B Inverse mechanisms? Secret Cristina Onete || 24/10/2014 || 7

8  Common misconception  Can we build signatures from encryption? Completely different functionality and goals! PropertyEncryption schemes Signatures schemes Message integrity Message confidentiality Non-repudiation Sender authentication  Using one primitive to get the other is dangerous! Single receiver Cristina Onete || 24/10/2014 || 8

9  Digital Signatures – Structure  SSchemes = (KGen, Sign, Verify) A Security parameter: determines key size Everyone Cristina Onete || 24/10/2014 || 9

10  Signature Security  Functionality – correctness:  Security: unforgeability BAA Verify Cristina Onete || 24/10/2014 || 10

11  Inverse mechanisms? PK EncryptionSignatures Key Generation: Encrypt Decrypt: Key Generation: Sign Verify: ? Cristina Onete || 24/10/2014 || 11

12  Abuse encryption step Cristina Onete || 24/10/2014 || 12

13  Inverse mechanisms? PK EncryptionSignatures Key Generation: Encrypt Decrypt: Key Generation: Sign Verify: ? Cristina Onete || 24/10/2014 || 13

14  Choosing messages well Cristina Onete || 24/10/2014 || 14

15  Attacks against Signatures  The more knows, the harder it is to get security  Security depends on what the attacker knows  Random-message attack: Lots of users all around Their messages are “random” Adv. gets (m, signa- ture) pairs Forge signature on new message! Cristina Onete || 24/10/2014 || 15

16  Attacks against Signatures  The more knows, the harder it is to get security  Security depends on what the attacker knows  Known-message attack: Lots of users all around Knows messages in advance, before re- ceiving any signature Adv. gets (m, signa- ture) pairs Forge signature on new message! Hi, how are you? I’m fine, thanks. How are you? I’m very well, thank you Cristina Onete || 24/10/2014 || 16

17  Attacks against Signatures  The more knows, the harder it is to get security  Security depends on what the attacker knows  Chosen-message attack: Lots of users all around Can choose messages that will be signed Adv. gets (m, signa- ture) pairs Forge signature on new message! …………… Cristina Onete || 24/10/2014 || 17

18  Attacks against Signatures Power of Attack Unf-RMAUnf-KMAUnf-CMA Weak Not strong/ Not weak Strong Cristina Onete || 24/10/2014 || 18

19  Hash and Sign in general  Use the same thing in general  Signature scheme  Hash function  Key generation: Signing: Verifying: Cristina Onete || 24/10/2014 || 19

20  Contents  Signatures vs. PK Encryption A common misconception The Hash and Sign method  Privacy-preserving signatures Ring signatures Group signatures Rings vs. Groups Signature Scheme security

21  So far: integrity & authenticity A  Successful verification means identifying signer! Cristina Onete || 24/10/2014 || 21

22  Ring Signatures Cristina Onete || 24/10/2014 || 22

23  Ring Signatures  Ring Signatures:  Regular Signatures: Cristina Onete || 24/10/2014 || 23

24  Ring Signature Properties  Anonymity: Flavours of anonymity depend on how much we let the adver- sary control the ring and the keys in it. ? ? ? Cristina Onete || 24/10/2014 || 24

25  Ring Signature Properties  Unforgeability: Could do this for a fixed ring, a chosen subring, or even allo- wing insider corruptions (the adversary learns secret keys) Cristina Onete || 24/10/2014 || 25

26  Aside: pairings Bilinear: Non-degenerate: Computable: Pairings exist for many groups. Not all are efficiently computable! Cristina Onete || 24/10/2014 || 26

27  Ring Signature – 2-Ring  Key generation: Cristina Onete || 24/10/2014 || 27

28  Ring vs. Group  Ring Signatures: Signer remains completely untraceable, even if he misbehaves No accountability  Group signatures Other ring members “independent” of signer, unaware of him Signer registers into a group of arbitrarily many signers Optional anonymity revocation : can extract signer if needed Cristina Onete || 24/10/2014 || 28

29  Ring Signatures Cristina Onete || 24/10/2014 || 29

30  Group Signatures G Cristina Onete || 24/10/2014 || 30

31  Optional Anonymity Revocation G Cristina Onete || 24/10/2014 || 31

32  Group Signatures  Syntax Registration key Revocation key Cristina Onete || 24/10/2014 || 32

33  Group Signature Properties  Full-anonymity: ? ? ? G Cristina Onete || 24/10/2014 || 33

34  Group Signature Properties  Full-traceability: G Cristina Onete || 24/10/2014 || 34

35  General strategy  Public key is a function of all the keys  Traceability: use a ZK proof of knowledge then use extractability to trace  Further Reading: [BMW03] Bellare, Micciancio, Warinschi: “Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and a Construction Based on General Assumptions”, CRYPTO 2003 [BMW04] Boneh, Boyen, Shacham: “Short Group Signatures”, CRYPTO 2004 Cristina Onete || 24/10/2014 || 35

36 CIDRE Thanks!

Download ppt "Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups."

Similar presentations

Advanced Piloting Cruise Plot.

Advanced Piloting Cruise Plot.
Feichter_DPG-SYKL03_Bild-01. Feichter_DPG-SYKL03_Bild-02.

Feichter_DPG-SYKL03_Bild-01. Feichter_DPG-SYKL03_Bild-02.
© 2008 Pearson Addison Wesley. All rights reserved Chapter Seven Costs.

© 2008 Pearson Addison Wesley. All rights reserved Chapter Seven Costs.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.

Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Chapter 1 The Study of Body Function Image PowerPoint

Chapter 1 The Study of Body Function Image PowerPoint
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.

Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
Author: Julia Richards and R. Scott Hawley

Author: Julia Richards and R. Scott Hawley
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.

Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.
UNITED NATIONS Shipment Details Report – January 2006.

UNITED NATIONS Shipment Details Report – January 2006.
RXQ.11.4.1 Customer Enrollment Using a Registration Agent (RA) Process Flow Diagram (Move-In) Customer Supplier Customer authorizes Enrollment (11.3.2.1)

RXQ Customer Enrollment Using a Registration Agent (RA) Process Flow Diagram (Move-In) Customer Supplier Customer authorizes Enrollment ( )
Document #07-2I RXQ.11.4.1 Customer Enrollment Using a Registration Agent (RA) Process Flow Diagram (Move-In) (mod 7/25 & clean-up 8/20) Customer Supplier.

Document #07-2I RXQ Customer Enrollment Using a Registration Agent (RA) Process Flow Diagram (Move-In) (mod 7/25 & clean-up 8/20) Customer Supplier.
1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.

1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Properties of Real Numbers CommutativeAssociativeDistributive Identity + × Inverse + ×

Properties of Real Numbers CommutativeAssociativeDistributive Identity + × Inverse + ×
Exit a Customer Chapter 8. Exit a Customer 8-2 Objectives Perform exit summary process consisting of the following steps: Review service records Close.

Exit a Customer Chapter 8. Exit a Customer 8-2 Objectives Perform exit summary process consisting of the following steps: Review service records Close.
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.

FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.
Year 6 mental test 5 second questions

Year 6 mental test 5 second questions
Year 6 mental test 10 second questions

Year 6 mental test 10 second questions

Similar presentations

Ads by Google