Presentation is loading. Please wait.

Presentation is loading. Please wait.

07/16/2013 Attila Altay Yavuz Robert Bosch Research and Technology Center Pittsburgh, PA 15203, USA Practical Immutable Signature.

Published byDamon Barnett Modified over 9 years ago

Similar presentations

Presentation on theme: "07/16/2013 Attila Altay Yavuz Robert Bosch Research and Technology Center Pittsburgh, PA 15203, USA Practical Immutable Signature."— Presentation transcript:

1 07/16/2013 Attila Altay Yavuz Robert Bosch Research and Technology Center Pittsburgh, PA 15203, USA attila.yavuz@us.bosch.com Practical Immutable Signature Bouquets (PISB) for Authentication and Integrity in Outsourced Databases 6 th ACM Conference on Security and Privacy in Wireless and Mobile Networks 27th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy (DBSec '13)

2 Motivation Data outsourcing is beneficial, especially for small-medium business Reduces the cost via continuous service, expertise, maintenance/upgrade; Database as a Service (DAS) [1]: Data owners outsource their data to a database service provider (e.g., IBM). Database service provider offers a reliable maintenance and access for the hosted data. Despite its benefits, DAS also brings security and privacy challenges: Privacy versus utilization (e.g., searchable encryption) Access privacy (e.g., ORAM [2]) Authentication and integrity: Immutable digital signatures (e.g., [3,4]) 2 DBSec 2013

3 A DAS Model and Limitations (I) Model of Hacigumus et al. [1] extended by Mykletun et al. in [3] 3 DBSec 2013 M 1,…,Mn S1, …., Sn - Each tuple in database is M1,…, Mn - Compute signatures S1,…,Sn M 1,…,Mn S1, …., Sn High bandwidth - Semi-trusted entity - Honest service, but compromise? Return tuples {M1,…,Mk} along with S1,…,Sk Verify S1,…,Sk before accepting results - Bandwidth, battery and/or Computation limited queriers A query related to some tuples on the server Each query: O(K) signature transmission Better verification efficiency?

4 Digression: Aggregate Signatures Given multiple individual signatures and corresponding public key(s), output a single compact (verifiable) signature Condensed-RSA (C-RSA) [3]: Aggregate signatures with the same private key Boneh Lynn Shacham (BLS) [5]: Cryptographic pairing-based, signatures under the different private keys can be aggregated 4 DBSec 2013

5 A DAS Model and Limitations (II) DAS model of Mykletun et al. in [3] 5 DBSec 2013 M 1,…,Mn S1, …., Sn M 1,…,Mn S1, …., Sn - Each tuple in database is M1,…, Mn - Compute individual signatures S1,…,Sn with Agg High bandwidth - Semi-trusted entity - Bandwidth, battery and/or Computation limited queriers A query related to some tuples on the server Given tuples{M1,…,Mk}, Select corresponding S1,…,Sk S = Agg(S1,…,Sk) Return S as aggregate signature Verify S before accepting results O(1) signature transmission Batch signature verification Problem: Aggregate signatures are mutable

6 Problem Statement: Signature Mutability Given two C-RSA signatures, it is possible to derive a new valid signature 6 DBSec 2013 Access Control Applications: Colluding clients can elevate access privileges Paid Database Services: Online authorized music album distributor (server), store large database of digitally signed songs. Colluding clients can act as “album distributor” without paying, by mix-matching songs and their signatures. Steal profit of actual distributor. The same applies to BLS signature scheme (aggregation is modular addition).

7 Limitations of Existing Immutable Signatures Mykletun et al. developed immutable signature schemes in [3,4]. Immutable Condensed RSA (IC-RSA): Hide C-RSA signature Guillou-Quisquater [6] based scheme : Use zero-knowledge to hide C-RSA signature. (+) It is the most computationally efficient variant proposed in [3,4]. (-) Interaction introduces communication overhead and delay, (-) A signature scheme is supposed to be non-interactive! Skroot based scheme: Use “Signature of Knowledge” [7] to hide C-RSA signature (+) Non-interactive, more communication efficient than GQ-based scheme (-) High computational cost and storage cost Immutable BLS Signatures (iBLS) : BLS signature  on m’=(m1,…,ml). Compute a secondary protection signature  on m’, and aggregate  on . (+) Non-interactive and small signature (-) The most computationally costly alternative (due to crypto pairing): Verifier side 7 DBSec 2013

8 Practical Immutable Signature Bouquets (PISB) (i) PISB Condensed Sequential RSA (PISB-CSA-RSA); (ii) PISB-Generic. Non-Interactive Immutability: Communication efficiency, PISB-CSA-RSA requires 1 KB overhead, while GQ-based in [3,4] requires 9 KB overhead. High Computational Efficiency: PISB-CSA-RSA is up to 40 times faster than iBLS, skroot and GQ based schemes in [3,4]. PISB-Generic offers pre-computability, which is ideal for server to handle requests at peak times. Small Signature Sizes: PISB-CSA-RSA is more communication efficient than GQ and skroot based schemes in [3,4]. PISB-Generic is more efficient than PISB-CSA-RSA, and it is comparable to iBLS [3,4]. Low End-to-End Delay: Much faster response time based on the above properties. Provable Security: PISB schemes are only immutable signatures with formal proofs. 8 DBSec 2013

9 PISB-CSA-RSA Scheme (Intuition) Recall iBLS signatures [3,4]: Server computes a protection signature  over queried data items, and aggregate  on the original aggregate signature . Limitation of IC-RSA: IC-RSA cannot aggregate signatures of data owner and clients. The same modulo n cannot be shared among multiple signers (expose key [8]). Objective: Server and data owner jointly compute a single compact RSA signature, such that server can aggregate C-RSA signature and his protection RSA signature. Observation: Sequential Aggregate RSA (SA-RSA) [9] can help! (Simplified below) 9 DBSec 2013

10 PISB-CSA-RSA Scheme (Detailed) 10 DBSec 2013

11 PISB-Generic Scheme (Intuition) Do we have to aggregate protection signature? Power of Simplicity: Server just computes a standard signature  on the aggregate signature , and define the final signature as a pair ( ,  ). Seems communication inefficient as it is not “fully aggregate”. However: ECDSA + (BLS or C-RSA ) combination is much more communication and computation efficient than Skroot and GQ schemes in [3,4]. Flexible: Allows cross data owners queries, protection signature can be any signature such as offline/online signature [10], token-ECDSA [11]. However, PISB-CSA-RSA outperforms PISB-Generic for various performance metrics. 11 DBSec 2013

12 PISB-Generic Scheme (Detailed) 12 DBSec 2013

13 Performance Analysis 13 DBSec 2013 Estimated execution times (l = 10 query elements, in ms) are measured on a computer with an Intel(R) Core(TM) i7 Q720 at 1.60GHz CPU and 2GB RAM running Ubuntu 10.10. We used MIRACL library. PISB Generic is implemented with ECDSA + BLS with pre-computed parameters End-to-end delay: Sign + Verify + transmission (remote client –server) ~40 times more efficient Small signature Overall the most versatile choice Non-cross signer Best for server Cross signer Not ideal for verifier Offline/online ECDSA+C-RSA

14 Security Analysis Immutable Existential Unforgeability under Chosen Message Attack (I-EU-CMA) for PISB: 14 DBSec 2013 I-EU-CMA is an extension of EU-CMA such that adversary wins if the forgery is a combination or subset of queried messages (i.e., signature mutations). A vector of messages Winning condition

15 Security Analysis (Cont’) 15 DBSec 2013 Any forgery on  also requires forging protection signature s’. Generating mutable signature on  requires forging s’. Simulation is indistinguishable. Theorem 1. PISB-Generic is (t, qs,  )-I-EU-CMA secure, if ASig is (t’, qs,  )-EU- CMA secure and Sig is (t’, qs,  )-EU-CMA secure, where t’= O(t) + qs(Op + Op’) and (Op,Op’) are the cost of signing for ASig and Sig, respectively. Theorem 2. PISB-CSA-RSA is (t, qs,  )-I-EU-CMA secure, if RSA is (t’, (2l)  qs,  )-EU-CMA secure, where t’= O(t) + (2l)  qs  Exp, where l and Exp denote the modular exponentiation and number of messages in a single query, respectively. Forging sequential aggregate RSA signature  is as difficult as forging RSA.  is on, producing subset/combination requires forging RSA, individual forgery of data items require forging  thereby forging RSA. Given two RSA signature oracles (O1,O2), simulator generates PISB-CSA-RSA signatures by computing a C-RSA signature via O1 and a SA-RSA signature via O2. Simulation is indistinguishable.

16 Conclusion PISB schemes are efficient immutable signatures for outsourced databases PISB-CSA-RSA Very low client computational overhead Compact constant size signature, no interaction Suitable choice for resource-limited clients PISB-Generic Very simple, various options Cross signer aggregation is possible More efficient than previous alternatives: Simplicity Provable security guarantee 16 DBSec 2013

17 17

18 DBSec 2013 References 18 [1] Hacigumus, H., Iyer, B., Mehrotra, S.: Providing database as a service. In: Proceedings of the 18th International Conference on Data Engineering, ICDE 2002, Washington, DC, USA, pp. 29–38 (2002) [2] Goodrich, M.T., Mitzenmacher, M., Ohrimenko, O., Tamassia, R.: Privacy-preserving group data access via stateless oblivious ram simulation. Proc. of the Twenty-Third Annual ACM-SIAM Symposium on Discrete Algorithms (SODA), pp. 157–167 (2012) [3] Mykletun, E., Narasimha, M., Tsudik, G.: Authentication and integrity in outsourced databases. Transaction on Storage (TOS) 2(2), 107–138 (2006) [4] Mykletun, E., Narasimha, M., Tsudik, G.: Signature bouquets: Immutability for aggregated/condensed signatures. In: Samarati, P., Ryan, P.Y.A., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, pp. 160–176. Springer, (2004) [5] Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and verifiably encrypted signatures from bilinear maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003) [6] Guillou L., Quisquater, J.: A “Paradoxical” Identity-Based Signature Scheme Resulting from Zero-Knowledge. Advances in Cryptology - Crypto (1998) 216–231 [7] Camenisch, J., Stadler, M.: Efficient Group Signature Schemes for Large Groups. Advances in Cryptology - Crypto (1997). [8] Ding, X., Tsudik, G.: Simple identity-based cryptography with mediated rsa. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 193–210. Springer, Heidelberg (2003) [9] Lysyanskaya, A., Micali, S., Reyzin, L., Shacham, H.: Sequential aggregate signatures from trapdoor permutations. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 74–90. Springer, Heidelberg (2004) [10] Catalano, D., Di Raimondo, M., Fiore, D., Gennaro, R.: Off-line/on-line signatures: Theoretical aspects and experimental results. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 101–120. Springer, Heidelberg (2008) [11] D. Naccache, D. M’Raïhi, S. Vaudenay, and D. Raphaeli. Can D.S.A. be improved? Complexity trade-offs with the digital signature standard. In Proc. of the 13th International Conference on the Theory and Application of Cryptographic Techniques (EUROCRYPT ’94), pages 77–85, 1994

Download ppt "07/16/2013 Attila Altay Yavuz Robert Bosch Research and Technology Center Pittsburgh, PA 15203, USA Practical Immutable Signature."

Similar presentations

New Publicly Verifiable Databases with Efficient Updates

New Publicly Verifiable Databases with Efficient Updates
Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,

Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Cryptography and Network Security

Cryptography and Network Security
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
1 Asynchronous Broadcast Protocols in Distributed System Oct. 10, 2002 JaeHyrk Park ICU.

1 Asynchronous Broadcast Protocols in Distributed System Oct. 10, 2002 JaeHyrk Park ICU.
IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.

IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.
10/11/2013 Attila Altay Yavuz University of Pittsburgh, School of Information Sciences 135 N. Bellefield Avenue, Pittsburgh, PA 15260

10/11/2013 Attila Altay Yavuz University of Pittsburgh, School of Information Sciences 135 N. Bellefield Avenue, Pittsburgh, PA 15260
Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups Masayuki Abe, NTT Jens Groth, University College London Kristiyan Haralambiev, NYU.

Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups Masayuki Abe, NTT Jens Groth, University College London Kristiyan Haralambiev, NYU.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
1 An Efficient Strong Key-Insulated Signature Scheme and Its Application 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake.

1 An Efficient Strong Key-Insulated Signature Scheme and Its Application 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
Authentication and Integrity in Outsourced Databases Kanaka Rajanala.

Authentication and Integrity in Outsourced Databases Kanaka Rajanala.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Privacy and Integrity Preserving in Distributed Systems Presented for Ph.D. Qualifying Examination Fei Chen Michigan State University August 25 th, 2009.

Privacy and Integrity Preserving in Distributed Systems Presented for Ph.D. Qualifying Examination Fei Chen Michigan State University August 25 th, 2009.
DSAC (Digital Signature Aggregation and Chaining) Digital Signature Aggregation & Chaining An approach to ensure integrity of outsourced databases.

DSAC (Digital Signature Aggregation and Chaining) Digital Signature Aggregation & Chaining An approach to ensure integrity of outsourced databases.

Similar presentations

Ads by Google