Presentation is loading. Please wait.

Presentation is loading. Please wait.

Efficient Sequential Aggregate Signed Data Gregory Neven IBM Zurich Research Laboratory work done while at K.U.Leuven.

Published byDennis Davis Modified over 9 years ago

Similar presentations

Presentation on theme: "Efficient Sequential Aggregate Signed Data Gregory Neven IBM Zurich Research Laboratory work done while at K.U.Leuven."— Presentation transcript:

1 Efficient Sequential Aggregate Signed Data Gregory Neven IBM Zurich Research Laboratory work done while at K.U.Leuven

2 2 Digital signatures (pk),M,σ σ ← Sign(sk,M) 0/1 ← Verify(pk,M,σ) (pk,sk) ← KeyGen()

3 3 Digital signatures … (pk 1,…,pk n ), M 1,…,M n, σ 1,…, σ n σ 1 ← Sign(sk 1,M 1 ) σ n ← Sign(sk n,M n ) σ1σ1 σnσn i : 0/1 ← Verify(pk i,M i,σ i ) A

4 4 Aggregate signatures (AS) … (pk 1,…,pk n ), M 1,…,M n, σ σ 1 ← Sign(sk 1,M 1 ) σ n ← Sign(sk n,M n ) σ1σ1 σnσn σ ← Agg(σ 1,…,σ n ) Goal: |σ| < |σ 1 | + … + |σ n |, preferably constant Motivation: certificate chains secure routing protocols save bandwidth (= battery life) for wireless devices 0/1 ← Verify(pk,M,σ) [BGLS03]

5 5 Sequential aggregate signatures (SAS) σ 1 ← Sign(sk 1,M 1 ) … (pk 1,…,pk n ), M 1,…,M n, σ σ 2 ← Sign(sk 2,M 2,σ 1 ) σ1σ1 σ n-1 σ = σ n ← Sign(sk n,M n,σ n-1 ) Goal: |σ| < |σ 1 | + … + |σ n |, preferably constant Motivation: certificate chains secure routing protocols save bandwidth (= battery life) for wireless devices 0/1 ← Verify(pk,M,σ) [LMRS04]

6 6 Existing (S)AS schemes SchemeTypeBased onKey modelRO BGLSASpairingsplainY LMRSSASRSAplainY LOSSWSASpairingsKoSKN

7 7 Drawbacks of existing schemes  Current drawbacks of pairings (BGLS, LOSSW)  trust in assumptions vs. factoring, RSA  no standardization  implementations  Rather inefficient verification (BGLS, LMRS)  BGLS: n pairings  LMRS: certified claw-free trapdoor permutations instantiation from RSA requires e > N → verification = signing = n full-length exps  Weak key setup model (LOSSW) plain public-key vs. knowledge of secret key (KOSK)

8 8 cert 1 ← Sign(sk 1, ID 2 ||pk 2 ) cert 2 ← Sign(sk 2, ID U ||pk, cert 1 ) cert 1 cert 2 σ ← Sign(sk, M, cert 2 ) 1 2 U Drawbacks of existing schemes  Security parameter flexibility (BGLS, LMRS, LOSSW) e.g. certificate chains  BGLS, LOSSW: no flexibility whatsoever  LMRS: increasing modulus size only → exact opposite of what we need  No (S)AS schemes for currently existing keys/certificates! security level

9 9 Our contributions  Generalization of SAS to SASD  SASD scheme with  instantations from low-exponent RSA and factoring  efficient signing (1 exp + O(n) mult) and verification (O(n) mult)  full flexibility in modulus size  compatible with existing RSA/Rabin keys and certificates  Pure SAS scheme with same properties  Generalization of multi-signatures to multi-signed data (MSD)  Non-interactive MSD scheme from RSA and factoring (no pairings)

10 10 Sequential aggregate signatures σ 1 ← Sign(sk 1,M 1 ) … σ 2 ← Sign(sk 2,M 2,σ 1 ) σ1σ1 σ n-1 σ = σ n ← Sign(sk n,M n,σ n-1 ) Goal: |σ| < |σ 1 | + … + |σ n | (pk 1,…,pk n ), M 1,…,M n, σ 0/1 ← Verify(pk,M,σ) [LMRS04]

11 11 Sequential aggregate signed data (SASD) Σ 1 ← Sign(sk 1,M 1 ) … Σ (pk,M)/ ← Verify(Σ) Σ 2 ← Sign(sk 2,M 2,Σ 1 ) Σ1Σ1 Σ n-1 Σ = Σ n ← Sign(sk n,M n,Σ n-1 ) Goal: minimize “net overhead” |Σ| – |M 1 | – … – |M n | ┴

12 12 SASD scheme intuition Step 1. Full-domain hash with message recovery Trapdoor permutation π, message M = m||µ H G = π net overhead ≈ 160 bits mµ Xhm = = Σ M

13 13 SASD scheme intuition mµ Xh Step 1. Full-domain hash with message recovery Trapdoor permutation π, message M = m||µ H G m π net overhead ≈ 160 bits = ? = = Σ M

14 14 SASD scheme intuition m1m1 µ1µ1 X1X1 h1h1 H G = m1m1 = π m2m2 µ2µ2 X2X2 h2h2 H G m2m2 π net overhead ≈ 2×160 = 320 bits Step 2. Aggregating the hashes Σ1Σ1 M1M1 = = Σ2Σ2 M2M2 1 2

15 15 SASD scheme intuition m1m1 µ1µ1 G π m2m2 µ2µ2 G π net overhead ≈ 160 bits H H Step 2. Aggregating the hashes (intuition only – insecure!) X1X1 h1h1 = m1m1 = X2X2 h2h2 m2m2 Σ1Σ1 M1M1 = = Σ2Σ2 M2M2 1 2

16 16 SASD scheme intuition m1m1 µ1µ1 G π m2m2 µ2µ2 G π net overhead ≈ 160 bits = ? H H Step 2. Aggregating the hashes (intuition only – insecure!) X1X1 h1h1 = m1m1 = X2X2 h2h2 m2m2 Σ1Σ1 M1M1 = = Σ2Σ2 M2M2 1 2

17 17 SASD scheme intuition m1m1 µ1µ1 X1X1 h1h1 Step 3. Recovering any type of data (intuition only – insecure!) G = m1m1 = π M2M2 X2X2 h2h2 G M2M2 π net overhead ≈ 160 bits H H X1X1 = = Σ1Σ1 M1M1 = Σ2Σ2 1 2

18 18 The SASD scheme Step 4. Getting the details right: see paper. Theorem. If there exists a forger that (t,q S,q H,q G,n,ε)-breaks SASD in the random oracle model, then there exists an algorithm that (t’,ε’)-finds a claw in Π, where

19 19 Comparison of SAS(D) schemes SchemeBased on Overhead (– |pk|) SignVerify BGLSpairings1601 En P LOSSWpairings3202 P + 160n M LMRSRSA1024n E SASD RSA, factoring 160…11841 E + 2n M2n M SAS RSA, factoring 11841 E + 2n M2n M P = pairing E = exponentiation M = multiplication n = #signatures in aggregate

20 20 Non-interactive multi-signatures (MS) Sign(sk 1,M) Sign(sk n,M) … (pk 1,…,pk n ), M, σ Σ ← Agg(σ 1,…, σ n ) Goal: |σ| < |σ 1 | + … + |σ n | n signatures on same message M σ1σ1 σnσn 0/1 ← Verify(pk,M,σ)

21 21 Non-interactive multi-signed data (MSD) Sign(sk 1,M) Sign(sk n,M) … Σ Σ ← Agg(Σ 1,…, Σ n ) Goal: minimize “net overhead” |Σ| – |M| n signatures on same message M Σ1Σ1 ΣnΣn (pk,M)/ ← Verify(Σ) ┴

22 22 MSD scheme m1m1 µ1µ1 h H G = π Each partial signature contains part of M M m2m2 m3m3 µ2µ2 µ3µ3 m4m4 G π G π m1m1 Σ1Σ1 = Σ m2m2 m3m3 Σ2Σ2 Σ3Σ3 m4m4 net overhead ≈ 160 bits Who takes which part of M?  Fully non-interactive: pos = hash(π i,M)  Known co-signers: fixed (e.g. lexicographic) order 1 2 3

23 23 Comparison of MS(D) schemes SchemeBased on Overhead (– |pk|) SignVerify Bolpairings1601 E2 P + n M LOSSWpairings3202 E + 160 M 2 P + (160+n) M MSD RSA, factoring 160 … 1024n + 160 1 E + 2n M2n M P = pairing E = exponentiation M = multiplication n = #signatures in aggregate

24 24 Closing remarks  In summary: propose SAS, SASD, MSD schemes  first based on low-exponent RSA and factoring  outperform existing schemes in many respects  free choice of modulus size  work with existing RSA/Rabin keys  Tight reduction using Katz-Wang, or next talk  Full version: ePrint Report 2008/063

Download ppt "Efficient Sequential Aggregate Signed Data Gregory Neven IBM Zurich Research Laboratory work done while at K.U.Leuven."

Similar presentations

Advanced Security Constructions and Key Management Class 16.

Advanced Security Constructions and Key Management Class 16.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.

Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Lecture 10 Signature Schemes Stefan Dziembowski www.dziembowski.net MIM UW 7.12.12ver 1.0.

Lecture 10 Signature Schemes Stefan Dziembowski MIM UW ver 1.0.
LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU 20082065 Myunghan Yoo.

LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU Myunghan Yoo.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.

IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.

Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Public Key Management Brent Waters. Page 2 Last Time  Saw multiple one-way function candidates for sigs. OWP (AES) Discrete Log Trapdoor Permutation.

Public Key Management Brent Waters. Page 2 Last Time  Saw multiple one-way function candidates for sigs. OWP (AES) Discrete Log Trapdoor Permutation.
Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Authenticating streamed data in the presence of random packet loss March 17th, 2000. Philippe Golle, Stanford University.

Authenticating streamed data in the presence of random packet loss March 17th, Philippe Golle, Stanford University.
Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group

Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group
A Brief History of Provable Security and PKE Alex Dent Information Security Group Royal Holloway, University of London.

A Brief History of Provable Security and PKE Alex Dent Information Security Group Royal Holloway, University of London.
1 Introduction to Information Security 0368-3065, Spring 2015 Lecture 7: Applied cryptography: asymmetric Eran Tromer Slides credit: John Mitchell, Stanford.

1 Introduction to Information Security , Spring 2015 Lecture 7: Applied cryptography: asymmetric Eran Tromer Slides credit: John Mitchell, Stanford.
Cryptography and Network Security Chapter 13

Cryptography and Network Security Chapter 13

Similar presentations

Ads by Google