Presentation is loading. Please wait.

Presentation is loading. Please wait.

IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.

Published byThomasina Wilkerson Modified over 9 years ago

Similar presentations

Presentation on theme: "IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with."— Presentation transcript:

1 IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with Roberto Tamassia NSF grants CCF–0311510, CNS–0303577 and IIS–0324846

2 Outline  Motivation for anonymity and aggregation  Construction of Anonymous-Signer Aggregate Signature Scheme  Security properties of the scheme  Applications

3 Digital credential  Digital credential is signed by the issuer with a digital signature scheme To certify the credential holder To certify the credential holder  Digital signature scheme Signing uses the private key Signing uses the private key Verification uses the public key Verification uses the public key Bob is a university Bob is a universityprofessor Public key Private key Bob University’s signature Public key Private key Bob’s credential University The credential can be verified against university’s public key

4 Motivation: Anonymous authorization Bank  Group signature schemes [Chaum van Heijst 91, Ateniese Camenisch Joye Tsudik 00, Boneh Boyen Shacham 04, Camenisch Lysyanskaya 04] [Chaum van Heijst 91, Ateniese Camenisch Joye Tsudik 00, Boneh Boyen Shacham 04, Camenisch Lysyanskaya 04] Support anonymity Support anonymity Bank cashiers 2. Request to sign Cashier’s check 1. Certify membership 3. Authorization

5 Motivation: Aggergation 1. Request 2. Authorization 3. Authorization 4. Authorization [Boneh Gentry Shacham Lynn 03]

6 Our goal: Aggregate anonymous signatures  Signing anonymity  Signature aggregation Aggregate Signature Delegation Signatures Aggregate

7 Anonymous authorization chain 1. Request 2. Authorization 3. Authorization 4. Authorization

8 Anonymous-signer aggregate signature scheme  Properties Aggregation: Bob’s signature can be added with Alice’s Aggregation: Bob’s signature can be added with Alice’s Anonymity: No one can tell that a signature is from Bob Anonymity: No one can tell that a signature is from Bob Unlinkability: No one can tell that two signatures are from Bob Unlinkability: No one can tell that two signatures are from Bob Non-framing: Alice cannot sign on behalf of Bob Non-framing: Alice cannot sign on behalf of Bob Traceability: Bob’s boss can find out that Bob is the signer Traceability: Bob’s boss can find out that Bob is the signer  Existing signature schemes do not satisfy all the requirements Aggregate signature scheme Aggregate signature scheme Group signature scheme Group signature scheme  Challenge: extending existing schemes is non-trivial

9 Aggregate signature scheme  Aggregate signature scheme [Boneh Gentry Shacham Lynn 03] The size of signatures and public keys 170 bits with security comparable to 1024 bit RSA and 320 bit DSA schemes The size of signatures and public keys 170 bits with security comparable to 1024 bit RSA and 320 bit DSA schemes  Verification is linear in the number of individual signatures Bob PK 1,SK 1 PK 1,SK 1 Alice PK 2,SK 2 PK 3,SK 3 Sign m 1 Sign m 1 S1S1S1S1 Sign m 2 Sign m 2 S2S2S2S2 S3S3S3S3 Bob aggregates + + = How to make the aggregate signature scheme support anonymity? Sign m 3 Sign m 3 Eve S2S2S2S2 S1S1S1S1 S3S3S3S3 SASASASA

10 An attempt to support anonymity using the existing aggregate signatures  Signers sign with certified one-time signing keys Does not satisfy the non-framing requirement! Cashier picks (one-time) pub/private key pair One-time member certificate Bank admin Authenticates and sends Certifies with aggregate signature SmSm SmSm Signs and aggregates Please sign my check ScSc + = SaSa Verifies with signing keys SaSa Pub key Private Key

11 Our solution: anonymous-signer aggregate signature scheme  Signing key has two parts Long-term public key certified by CA Long-term public key certified by CA Random one-time secret Random one-time secret Combined to become the signing key Combined to become the signing key  Supports Signature aggregation Signature aggregation Anonymous authorization Anonymous authorization  Based on the aggregate signature scheme [Boneh Gentry Shacham Lynn 03]  Standard assumptions for pairing-based cryptography

12 Overview: Anonymous-signer aggregate signature scheme Long-termpublic-key Public-key certificate Trusted third-party Certifies with aggregate signature CkCkCkCk One-time secret secret One-time member certificate Bank admin Certifies with aggregate signature SmSmSmSm Cannot frame others Combine SmSmSmSm Aggregates Please sign my check ScScScSc + = SaSaSaSa Verifies with signing key SaSaSaSa Signs with

13 Entities and Operations in Our Scheme  Entities Role manager (cashier in this talk) Role manager (cashier in this talk) Role member (bank admin in this talk) Role member (bank admin in this talk)  Setup: Each entity chooses long-term public/private key pair  Join: A user becomes a role member Obtains membership certificates Obtains membership certificates  Sign: An entity signs on behalf of the role Operation Sign produces a role signature Operation Sign produces a role signature  Aggregate: Multiple role signatures are aggregated  Verify: Aggregate role signatures are verified  Open: A role manager revokes the anonymity of a signer by revealing his or her identity

14 Some math about the operations Private key s u Public key P u = s u  One-time signing secret x u One-time signing public key s u x u  One-time signing public key s u x u   Public parameter  Public parameter SmSm s a H( ) Private key s a Public key P a = s a  Certifies Obtains SaSa Verifies ScSc Signature s u x u H(m) + = SaSa ScSc SmSm Aggregates SaSa Role signature; may be aggregated further with others Framing is hard – equivalent to computational Diffie-Hellman Problem

15 Security Our anonymous-signer aggregate signature scheme satisfies the following requirements: Our anonymous-signer aggregate signature scheme satisfies the following requirements:correctness,unforgeability,anonymity,unlinkability,traceability,non-framing,coalition-resistance, and aggregation assuming assuming random oracle model, bilinear map, and gap groups.

16 An application: Anonymous role-based delegation The access to the digital library at a hospital is controlled Bob is a university professor and can access Bob can access Researchers at a company collaborate with Bob Need to access Collaborate Engineers at a lab collaborate with researchers Need to access Collaborate Hospital’s policy University prof. can access

17 Another application: Protecting whistleblower  Protects the identity of whistleblowers The verifier only knows that the whistleblower is a certified FBI agent or a New York Times reporter The verifier only knows that the whistleblower is a certified FBI agent or a New York Times reporter  Supports efficiently certification of a series of reports Signed reports of whistleblower(s) Enron scandal: day 101 Enron scandal: day 102 Enron scandal: day 103 Aggregated signature … S2S2S2S2 S1S1S1S1 S3S3S3S3 SASASASA

18

19 Non-framing property  Our scheme protects a cashier from being framed by anyone including bank admin  Consider a simple attack by an admin Picks random x* and s* and uses x*s* to sign Picks random x* and s* and uses x*s* to sign  Admin cannot misattribute a signature to a cashier u u with pub key P u = s u  u with pub key P u = s u  e(s*x* ,  ) ≠ e(P u, x*  ) e(s*x* ,  ) ≠ e(P u, x*  )  In general, framing is equivalent to Computing b , given q, a , and c  such that Computing b , given q, a , and c  such that ab = c mod q known equivalence to CDH problem [Chen Zhang Kim 03]

Download ppt "IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with."

Similar presentations

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written.

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written.
BY JYH-HAW YEH COMPUTER SCIENCE DEPT. BOISE STATE UNIVERSITY Proxy Credential Forgery Attack to Two Proxy Signcryption Schemes.

BY JYH-HAW YEH COMPUTER SCIENCE DEPT. BOISE STATE UNIVERSITY Proxy Credential Forgery Attack to Two Proxy Signcryption Schemes.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Digital Signatures. Anononymity and the Internet.

Digital Signatures. Anononymity and the Internet.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.

Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.
A novel and efficient unlinkable secret handshakes scheme Author: Hai Huang and Zhenfu Cao (PR China) Source: IEEE Comm. Letters 13 (5) (2009) Presenter:

A novel and efficient unlinkable secret handshakes scheme Author: Hai Huang and Zhenfu Cao (PR China) Source: IEEE Comm. Letters 13 (5) (2009) Presenter:
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Unlinkable Secret Handshakes and Key-Private Group Key Management Schemes Author: Stanislaw Jarecki and Xiaomin Liu University of California, Irvine From:

Unlinkable Secret Handshakes and Key-Private Group Key Management Schemes Author: Stanislaw Jarecki and Xiaomin Liu University of California, Irvine From:
1 CPSC156: The Internet Co-Evolution of Technology and Society Lectures 19,20, and 21: April 5, 10, and 12, 2007 Cryptographic Primitives.

1 CPSC156: The Internet Co-Evolution of Technology and Society Lectures 19,20, and 21: April 5, 10, and 12, 2007 Cryptographic Primitives.
Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.

Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.
Security Management.

Security Management.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

Similar presentations

Ads by Google