Presentation is loading. Please wait.

Presentation is loading. Please wait.

Transitive Signatures based on Factoring and RSA Mihir Bellare (University of California, San Diego, USA) Gregory Neven (Katholieke Universiteit Leuven,

Published byLee Armstrong Modified over 9 years ago

Similar presentations

Presentation on theme: "Transitive Signatures based on Factoring and RSA Mihir Bellare (University of California, San Diego, USA) Gregory Neven (Katholieke Universiteit Leuven,"— Presentation transcript:

1 Transitive Signatures based on Factoring and RSA Mihir Bellare (University of California, San Diego, USA) Gregory Neven (Katholieke Universiteit Leuven, Belgium)

2 2 Standard digital signatures M SSign ssk σ M SVf σ’ spk accept / reject SKG (spk,ssk) 1k1k

3 3 σ 2,3 3 σ i,j i,j Transitive signatures [MR02]  Message is pair of nodes i,j  Signing i,j = creating and authenticating edge {i,j}  An authenticated graph grows with time σ 1,2 1,2 1 2 i,j TSign tsk TVf σ’ i,j tpk TKG (tpk,tsk) 1k1k accept / reject σ 2,3 2,3 σ 4,5 45 4,5

4 4 Transitive signatures [MR02] Comp i,j,k σ i,j σ i,k tpk σ j,k  Additional composition algorithm 1 2 σ 1,2 3 σ 2,3 45 σ 4,5  Authenticated graph is transitive closure of directly signed edges 1,2,3 σ 1,2 σ 2,3 σ 1,3 i,j TSign tsk σ i,j i,j TVf σ’ i,j tpk accept / reject TKG (tpk,tsk) 1k1k

5 5 Security of transitive signatures  Standard security definition of [GMR] doesn’t apply: composition allows forgery to some extent  New security goal [MR02]:  computationally infeasible to forge signatures not in transitive closure of the edges signed directly by the signer  even under “chosen-edge” attack F tpk {1,4}, σ 1,4 σ 1,4 σ 1,3 σ 1,2 σ 2,3 σ 4,5 1 2 3 45 σ 1,2,σ 2,3,σ 4,5 1,2 ║ 2,3 ║ 4,5 TSign tsk (·,·) 2,3 σ 2,3 1,2 σ 1,2 4,5 σ 4,5 TSign tsk (·,·)

6 6 Why transitive signatures? Applications? Micali and Rivest suggest  military chain-of-command (directed)  administrative domains (undirected) Compelling application yet to be found But a cool concept!

7 7 σ 1,2 1,y 1 2,y 2  signature σ 1,2 = (,, δ 1,2 ) RSATS-1: RSA based scheme [MR02] tpk = (spk, N, e) tsk = ssk Assume standard signature scheme with  key pair (spk,ssk)  message M signed under ssk M 1 2 3 Signer assigns to each node i: ← Z* R N x1x1 x2x2 x3x3  secret label x i,y 1,y 2,y 3  public label y i ← x i e mod N i,y i  node certificate 1,y 1 2,y 2 3,y 3 To sign edge {1,2}:  edge label δ 1,2 ← x 1 ·x 2 -1 mod N Verification of (,, δ 1,2 ): 1,y 1 2,y 2  check node certificates  check δ 1,2 = y 1 ·y 2 -1 mod N e

8 8 Composition in RSATS-1 To compose signatures σ 1,2 and σ 2,3 : σ 1,2 = (,, δ 1,2 ) where δ 1,2 = x 1 ·x 2 -1 mod N 1,y 1 σ 2,3 = (,, δ 2,3 ) where δ 2,3 = x 2 ·x 3 -1 mod N 2,y 2 3,y 3 δ 1,2 ·δ 2,3 mod N = (x 1 ·x 2 -1 )(x 2 ·x 3 -1 ) mod N = x 1 ·x 3 -1 mod N 2,y 2 1,y 1 3,y 3 x i are kept in signer’s state  σ 1,3 = (,, δ 1,3 ) where δ 1,3 = σ 1,3 1 2 3 x1x1 x2x2 x3x3,y 1,y 2,y 3 1,y 1 3,y 3 σ 1,2 σ 2,3 2,y 2

9 9 Non-adaptive security of RSATS-1 RSATS-1 can be proven transitively secure against forgery under non-adaptive chosen-edge attack if  RSA is one-way  underlying standard signature scheme is secure under chosen- message attack Is RSATS-1 secure under adaptive attack?  Neither proof nor attack known  Might rely on stronger properties of RSA than one-wayness  We consider security under one-more inversion [BNPS01]

10 10 RSA under one-more inversion A A is successful iff  x i e = y i mod N for i=1..m  n < m x 1,…,x m N,e y1y1 Chall R Z* N yiyi ymym … RSA -1 N,e (·) z 1 d mod N z1z1 z n d mod N znzn … Assumption: this problem is hard [BNPS01] Used before  by [BNPS01] to prove security of Chaum’s blind signatures  by [BP02] to prove security of GQ identification scheme

11 11 Adaptive security of RSATS-1 Theorem: RSATS-1 is transitively secure against forgery under adaptive chosen-message attack if  the one-more RSA-inversion problem is hard  the underlying standard signature scheme is secure under chosen-message attack.

12 12 {1,2} δ 1,2 y 1 y 2 -1 Proof idea for RSATS-1 A Chall F N,eN,e RSA -1 σ 1,2 σ 1,4 n 1 nodesn 2 nodes n 1 -1 queriesn 2 -1 queries x 2 ← δ 2,3 ·x 3 x 1 ← δ 1,2 ·x 2 If A would know x 3 : (remember δ i,j =x i ·x j -1 ) (n 1 -1)+(n 2 -1)+1 = n 1 +n 2 -1 queries < n 1 +n 2 decrypted challenges (spk,N,e) {2,3} δ 2,3 y 2 y 3 -1 σ 2,3 {1,3} σ 1,3 x 1,…,x 6 y1y1 x1x1 σ 5,6 σ 4,6 yiyi y1y1 y2y2 y3y3 y4y4 y5y5 y6y6 1 2 3 4 5 6

13 13 σ 1,3 = (,, δ 1,3 ) with δ 1,3 = δ 1,2 ·δ 2,3 mod N1,y 1 3,y 3 σ 1,3 Composition of σ 1,2 and σ 2,3 : σ 2,3 FBTS-1: Factoring based scheme tpk = (spk, N); tsk = ssk,y 1,y 2,y 3  public label y i ← x i 2 mod N i,y i  node certificate 1,y 1 2,y 2 3,y 3 σ 1,2 Signature σ 1,2 = (,, δ 1,2 ) with δ 1,2 = x 1 ·x 2 -1 mod N 1,y 1 2,y 2 Verification of σ 1,2 :  check signatures on,  check δ 1,2 = y 1 ·y 2 -1 mod N 1,y 1 2,y 2 2 ← Z* R N x1x1 x2x2 x3x3  secret label x i 1 2 3 Signer assigns to each node i:

14 14 Security of FBTS-1 Theorem: FBTS-1 is transitively secure against forgery under adaptive chosen-message attack if  factoring N is hard  the underlying standard signature scheme is secure under chosen-message attack. Proof idea:  with probability 1/2, forgery gives second square root  signatures might leak information about known root → information-theoretic lemma needed

15 15 Node certification paradigm For each node i, the signer: x1x1 x2x2 x3x3  chooses secret label x i σ 2,3 σ 1,3 Composition of σ 1,2 and σ 2,3 : σ 1,3 = (,, δ 1,3 ) where δ 1,3 = h(δ 1,2,δ 2,3 ) 1,y 1 3,y 3 δ i,j ·δ j,k mod N h(δ i,j,δ j,k ) σ 1,2 Signature σ 1,2 = (,, δ 1,2 ) where δ 1,2 = g(x 1,x 2 ) 1,y 1 2,y 2 x i ·x j -1 mod N g(x i,x j ),y 1,y 2,y 3  computes public label y i = f(x i ) x i 2 mod NFBTS-1 x i e mod NRSATS-1 f(x i )Scheme 1,y 1 3,y 3 2,y 2  creates node certificate i,y i 1 2 3

16 16 Eliminating node certificates σ 2,3 σ 1,3 Composition of σ 1,2 and σ 2,3 : σ 1,3 = δ 1,3 where δ 1,3 = g(δ 1,2, δ 2,3 ) σ 1,2 Signature σ 1,2 = δ 1,2 where δ 1,2 = f(x 1,x 2 ) Let H tpk be a public hash function RSATS-1 and FBTS-1, but not MRTS,x1,x1,x2,x2,x3,x3  secret label x i ← “inversion” of y i (using trapdoor information in tsk) y 1 =H tpk (1) y 2 =H tpk (2) y 3 =H tpk (3)  public label y i ← H tpk (i) For each node i, signer lets: 1 2 3

17 17 RSATS-2 and FBTS-2 RSATS-2: Straightforward application of this idea to RSATS-1 Theorem: RSATS-2 is transitively secure against forgery under adaptive chosen-message attack if  the one-more RSA-inversion problem is hard  H N : {0,1}*→Z N is a random oracle. * * FBTS-2: Modifications needed because public labels have to be squares mod N Theorem: FBTS-2 is transitively secure against forgery under adaptive chosen-message attack if  factoring N is hard  H N : {0,1}*→Z N [+1] is a random oracle.

18 18 Previously known schemes O(path length)YesStandard signaturesTrivial Signature sizeAd.?Security assumptionScheme 2 stand. sigs 2 points in G 2 points in Z q YesDiscrete logarithms Standard signatures MRTS 2 stand. sigs 3 points in NoOne-wayness of RSA Standard signatures RSATS-1 Z* N

19 19 Scheme contributions 2 stand. sigs 3 points in NoOne-wayness of RSA Standard sigs RSATS-1 2 stand. sigs 2 points in G 2 points in Z q YesDiscrete logarithms Standard signatures MRTS O(path length)YesStandard signaturesTrivial Signature sizeAd.?Security assumptionScheme Z* N 2 stand sigs 3 points in YesOne-more RSA Standard signatures RSATS-1 Z* N 2 stand sigs 3 points in YesFactoring Standard signatures FBTS-1 Z* N No RO? No 1 point inYes One-more RSARSATS-2 Z* N 1 point inYes FactoringFBTS-2Z* N

20 Questions?

Download ppt "Transitive Signatures based on Factoring and RSA Mihir Bellare (University of California, San Diego, USA) Gregory Neven (Katholieke Universiteit Leuven,"

Similar presentations

ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.

ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Cryptography and Network Security

Cryptography and Network Security
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Foundations of Cryptography Lecture 5: Signatures and pseudo-random generators Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5: Signatures and pseudo-random generators Lecturer: Moni Naor.
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Chapter 7-1 Signature Schemes.

Chapter 7-1 Signature Schemes.
Cryptography in Subgroups of Z n * Jens Groth UCLA.

Cryptography in Subgroups of Z n * Jens Groth UCLA.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.
Chapter 3 Encryption Algorithms & Systems (Part C)

Chapter 3 Encryption Algorithms & Systems (Part C)
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Announcements:Questions? This week: Digital signatures, DSA Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 29.

Announcements:Questions? This week: Digital signatures, DSA Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 29.

Similar presentations

Ads by Google