Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Sequential Aggregate Signatures and Multisignatures Without Random Oracles Steve Lu, Rafail Ostrovsky, Amit Sahai, Hovav Shacham, and Brent Waters.

Published byAileen Wood Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Sequential Aggregate Signatures and Multisignatures Without Random Oracles Steve Lu, Rafail Ostrovsky, Amit Sahai, Hovav Shacham, and Brent Waters."— Presentation transcript:

1 1 Sequential Aggregate Signatures and Multisignatures Without Random Oracles Steve Lu, Rafail Ostrovsky, Amit Sahai, Hovav Shacham, and Brent Waters

2 2 Secure BGP  BGP “Speakers” send path updates messages  S-BGP sequence of messages + sigs.  4096 byte size limit (M1,  1 ) (M1,  1 ), (M2,  2 ) (M1,  1 ), (M2,  2 ), (M3,  3 )

3 3 Aggregate Sigs [BGLS03] SignAggregate

4 4 Aggregate Signatures [BGLS03]  A single short aggregate provides nonrepudiation for many different messages under many different keys  More general than multisignatures  Applications:  X.509 certificate chains  Secure BGP route attestations  PGP web of trust Verisign Versign Europe NatWest NatWest WWW

5 5 BGLS Aggregate Sigs BLS Sigs: PK = g a SK=a Sign(SK,M):  =H(M) a Verify(PK,M,  ): e( ,g)=e( H(M), PK) Secure in R.O. Model --- Deterministic Signatures

6 6 BGLS Aggregate Sigs PK i = g a i SK i =a i Sign(SK i,M i ):  i =H(M  )  i Aggregate(  1,…  n ):  *=  i=1…  i Verify(PK i,M 1,…,M n,  *): e(  *,g)=  i=1,…n e( H(M i ), PK i ) Verification requires n pairings

7 7 Difficulty w/o Random Oracles  Known efficient signatures have a random component Strong RSA sigs[GHR’ 99, CS’99] B-Map [BB’04,CL’04.W’05] Tree- sigs  Difficult to aggregate Independent signatures => Independent randomness

8 8 Sequential Aggregates [LMRS’04]  Signing and Aggregation are a single operation  Inherently sequenced; not appropriate for PGP Sign and Aggregate

9 9 Our Approach  Build from W’05 signatures  Signer uses same randomess from previous sig  Then re-randomizes

10 10 Our Aggregate Sigs W’05 Sigs: PK = e(g,g) a,h, u 1,…,u m SK=a Sign(SK,M):  =(  ’,  ’’)=g a (h  i=1,…m u M i ) r, g -r Verify(PK,M,  ): e(  ’,g) e(  ’’, h  i=1,…m u M i )=e(g,g) a Secure w/o R.O.s

11 11 Our Aggregate Sigs PK i = e(g,g) a i,h i =g y i ’, u i,1 =g y i,1 …,u m, =g y i,m SK =a i,y i ’, y i,1,…,y i,m Agg(SK i,M i,  *=  1,  2 ): x=DL(h  j=1,…m u M i,j )   =(  ’,  ’’)=g a  2 x  1,  2  Verify(PK,M 1,…M n,  *=(  ’,  ’’)): e(  ’,g) e(  ’’,  i  1…n h j  j=1,…m u M i,j )=  i=1…n e(g,g) a i Know DL PK

12 12 Comparisons SchemeR.O.SequentialSizeVer.Sign BGLSYESNO160 bits n+1 parings 1 exp. LMRS-2YES 1024 bits 4 mult.Ver. + 1 exp. OursNOYES320 bits 2 pairingsVer. + 1 exp. Shorter than LMRSFaster Ver. than BGLS

13 13 Summary and Open Problems  Sequential Aggregate Signatures w/o R.O. Use same randomness sequentially Arguably better Performance than R.O. schemes  Multi-Sigs and Verifiable Enc. Sigs  Shorter Public Parameters Certificate Chains  Full Aggregate Signatures

14 14 THE END

15 15 Sequential Aggregate Chosen- Key Model  Nontriviality:  σ * is a valid sequential aggregate  challenge key pk = pk j * for some j;  No oracle query at pk 1 *,…,pk j *;M 1 *,…,M j *. Adversary AggSign() oracle

Download ppt "1 Sequential Aggregate Signatures and Multisignatures Without Random Oracles Steve Lu, Rafail Ostrovsky, Amit Sahai, Hovav Shacham, and Brent Waters."

Similar presentations

A Crash Course in Modern Crypto Tools Dan Boneh Stanford University.

A Crash Course in Modern Crypto Tools Dan Boneh Stanford University.
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written.

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Lecture 10 Signature Schemes Stefan Dziembowski www.dziembowski.net MIM UW 7.12.12ver 1.0.

Lecture 10 Signature Schemes Stefan Dziembowski MIM UW ver 1.0.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.

IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.
Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.

Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.
1 An Efficient Strong Key-Insulated Signature Scheme and Its Application 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake.

1 An Efficient Strong Key-Insulated Signature Scheme and Its Application 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake.
Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.

Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Public Key Management Brent Waters. Page 2 Last Time  Saw multiple one-way function candidates for sigs. OWP (AES) Discrete Log Trapdoor Permutation.

Public Key Management Brent Waters. Page 2 Last Time  Saw multiple one-way function candidates for sigs. OWP (AES) Discrete Log Trapdoor Permutation.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
1 Intro To Encryption Exercise 10. 2 Analyze the following scenario: Sender:  Cipher1= Encrypt message with symmetric key algorithm  RSA_Encrypt (SHA1(message)

1 Intro To Encryption Exercise Analyze the following scenario: Sender:  Cipher1= Encrypt message with symmetric key algorithm  RSA_Encrypt (SHA1(message)
Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group

Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.

Similar presentations

Ads by Google