1. 1 A survey of the server-aided verification models

2. 2 Outline  Introduction  Survey: GL05  Survey: Wu08  Survey: Wang10  Survey: Wu11 and Wang11  Conclusion

3. 3 Introduction  簡單回顧從 2005 年到 2012 年之間，有關 server-aided verification (SAV) 的文章。 GL05Wu08Wang10 Wang11Wu11

4. 4 Outline  Introduction  Survey: GL05  Survey: Wu08  Survey: Wang10  Survey: Wu11 and Wang11  Conclusion

5. 5 Server-Aided Verification: Theory and Practice Marc Girault and David Lefranc Asiacrypt2005, pp. 605 – 623, 2005 Cites: 16

6. 6 Definitions  The model of an interactive proof of knowledge

7. 7 Definitions  Definition 1. Legitimate / Misbehaving / Cheating. In an interactive proof of knowledge between a prover P and a verifier V, P maybe deviates from the protocol.  : legitimate  : cheating  : misbehaving

8. 8 Definitions  Definition 2. SAV protocol.

9. 9 Definitions  Definition 2. SAV protocol. The protocol is said to be a server-aided verification protocol (SAV) for if:  Auxiliary completeness.  Auxiliary soundness.  Computational saving.  Auxiliary non-repudiation.

10. 10 Definitions

11. 11 Auxiliary Soundness  The final predicate Hard to know  The final predicate is construction from the predicate by randomizing it, that only the verifier known it. Hard to solve  The final predicate is construction from the predicate such that the final predicate is computationally hard to solve.

12. 12 Security model in the case of signature scheme  To proof the soundness of a SAV protocol  Assume

13. 13 SAV protocol for identification schemes Hard-to-know-based SAV protocol

14. 14 SAV protocol for identification schemes Hard-to-solve-based SAV protocol

15. 15 Comparison table

16. 16 Summary  提出 SAV 所需要滿足的安全性條件。  延伸原本 signature scheme 的協定，讓它具有 server-aided 功能。

17. 17 Outline  Introduction  Survey: GL05  Survey: Wu08  Survey: Wang10  Survey: Wu11 and Wang11  Conclusion

18. 18 Server-Aided Verification Signatures: Definitions and New Constructions Wei Wu, Yi Mu, Willy Susilo, and Xinyi huang ProvSec 2008, pp. 141 – 155, 2008 Cites: 9

19. 19 Definitions  A signature scheme

20. 20 Definitions  Requirements Completeness Existential unforgeability of  Existential unforgeability under adaptive chose message attacks

21. 21 Definitions  Requirements Existential unforgeability of  Setup. C: A:  Queries. A can request q s sign queries.  Output. A outputs a pair and wins this game if

22. 22 Definitions  A server-aided verification signature scheme The ordinary signature scheme

23. 23 Definitions  Requirements Completeness Computational saving Existential unforgeability

24. 24 Definitions  Requirements Existential unforgeability of  Setup. C: A:  Queries. A can request the following queries. q s sign queries q v server-aided verification queries.  A acts as the server, C acts as the verifier.  Executing SAV-Verify, C returns the result to A at the end for each queries.  Output. A outputs a pair and wins this game if

25. 25 Definitions 

26. 26 Definitions  SAV- against Collusion and Adaptive chosen message attacks Setup. C: A: Queries. A only need to make server-aided verification queries. Output. A outputs a message m *. C chooses a random element where is the set of valid signatures of m * as the response. A wins this game if

27. 27 SAV protocol for signature schemes

28. 28 SAV protocol for signature schemes

29. 29 SAV protocol for signature schemes

30. 30 Summary  定義 SAV 的不可偽造性。   提出 signer 與 server 共謀的攻擊。

31. 31 Outline  Introduction  Survey: GL05  Survey: Wu08  Survey: Wang10  Survey: Wu11 and Wang11  Conclusion

32. 32 Comment on Wu et al.’s Server- aided Verification Signature Scheme Zhiwei Wang, Licheng Wang, Yixian Yang, and Zhengming Hu International Journal of Network Security, Vol. 10, No. 3, pp. 204 – 206, 2010 Cites: 5

33. 33 New definition of the security of SAV-Σ against collusion and adaptive chosen message attacks  An untrusted server is very likely to collude with a signature forger. Setup. C: A: Queries. A can only make q v server-aided verification queries. Output. A outputs a pair where is chosen by A under (pk f, sk f ). A wins this game if

34. 34 Summary  作者認為 Wu 等人的攻擊方式不夠詳盡，於 是提出一個更新的 model ，並証明 Wu 等人的 SAV-BLS 在這 model 之下是安全的。

35. 35 Outline  Introduction  Survey: GL05  Survey: Wu08  Survey: Wang10  Survey: Wu11 and Wang11  Conclusion

36. 36 Provably secure server-aided verification signatures Wei Wu, Yi Mu, Willy Susilo, and Xinyi Huang Computer and Mathematics with Applications, pp. 1705 – 1723, 2011. Cites: 4

37. 37 A new construction of the server- aided verification signature scheme Zhiwei Wang Mathematical and Computer Modeling, Vol. 55, Issues 1 – 2, pp. 97 – 101, 2011 Cites: 1

38. 38 Outline  Introduction  Survey: GL05  Survey: Wu08  Survey: Wang10  Survey: Wu11 and Wang11  Conclusion

39. 39 Comparisons GL05Wu08+11Wang10+11 Proof typeInteractive proofGame-based RequirementsCompleteness Soundness Computational saving Non-repudiation Completeness EUF => Soundness Computational saving Completeness + Soundness + Computational saving + AttacksClassical attacksEUF Collusion and ACMA Proposed schemes33+62+1

40. 40 The different of the definition of the against collusion and ACMA

41. 41 Conclusions  Models  EUF => Soundness  The different of the definition of the against collusion and ACMA  More rational attack model Multi-signer Multi-server Server collude with a misbehaving verifier