blind signatures with flying colors
play

Blind Signatures with flying colors Olivier Blazy XLim, Universit - PowerPoint PPT Presentation

Dec 10, 2023 •338 likes •1.24k views

Blind Signatures with flying colors Olivier Blazy XLim, Universit de Limoges Feb 2014 O. Blazy (XLim) Blind Sig Feb 2014 1 / 50 General Remarks 1 Building blocks 2 Non-Interactive Proofs of Knowledge 3 Interactive Implicit Proofs 4

  1. Blind Signatures with flying colors Olivier Blazy XLim, Université de Limoges Feb 2014 O. Blazy (XLim) Blind Sig Feb 2014 1 / 50

  2. General Remarks 1 Building blocks 2 Non-Interactive Proofs of Knowledge 3 Interactive Implicit Proofs 4 Can we do better? 5 O. Blazy (XLim) Blind Sig Feb 2014 2 / 50

  3. General Remarks 1 Building blocks 2 Non-Interactive Proofs of Knowledge 3 Interactive Implicit Proofs 4 Can we do better? 5 O. Blazy (XLim) Blind Sig Feb 2014 2 / 50

  4. General Remarks 1 Building blocks 2 Non-Interactive Proofs of Knowledge 3 Interactive Implicit Proofs 4 Can we do better? 5 O. Blazy (XLim) Blind Sig Feb 2014 2 / 50

  5. General Remarks 1 Building blocks 2 Non-Interactive Proofs of Knowledge 3 Interactive Implicit Proofs 4 Can we do better? 5 O. Blazy (XLim) Blind Sig Feb 2014 2 / 50

  6. General Remarks 1 Building blocks 2 Non-Interactive Proofs of Knowledge 3 Interactive Implicit Proofs 4 Can we do better? 5 O. Blazy (XLim) Blind Sig Feb 2014 2 / 50

  7. Electronic Voting For dessert, we let people vote � Chocolate Cake � Cheese Cake � Fruit Salad � Brussels Sprout After collection, we count the number of ballots: Chocolate Cake 123 Cheese Cake 79 Fruit Salad 42 Brussels sprout 1 O. Blazy (XLim) Blind Sig Feb 2014 3 / 50

  8. Authentication Only people authorized to vote should be able to vote People should be able to vote only once Anonymity Votes and voters should be anonymous △ Receipt freeness O. Blazy (XLim) Blind Sig Feb 2014 4 / 50

  9. Homomorphic Encryption and Signature approach The voter generates his vote v . The voter encrypts v to the server as c . The voter signs c and outputs σ . ( c , σ ) is a ballot unique per voter, and anonymous. Counting: granted homomorphic encryption C = � c . The server decrypts C . O. Blazy (XLim) Blind Sig Feb 2014 5 / 50

  10. Electronic Cash I d e n t i f y W i t t i h s o d p r e a D w Spend e z i R m a o n d d n o a m R i z e O. Blazy (XLim) Blind Sig Feb 2014 6 / 50

  11. Protocol Withdrawal: A user get a coin c from the bank Spending: A user pays a shop with the coin c Deposit: The shop gives the coin c back to the bank Electronic Coins Chaum 81 Expected properties � Unforgeability � Coins are signed by the bank � No Double-Spending � Each coin is unique � Anonymity � Blind Signature Definition (Blind Signature) A blind signature allows a user to get a message m signed by an authority into σ so that the authority even powerful cannot recognize later the pair ( m , σ ) . O. Blazy (XLim) Blind Sig Feb 2014 7 / 50

  12. RSA-Based Blind Signature The easiest way for blind signatures, is to blind the message: To get an FDH-RSA signature on m under RSA public key ( n , e ) , The user computes a blind version of the hash value: M = H ( m ) and M ′ = M · r e mod n The signer signs M ′ into σ ′ = M ′ d The user recovers σ = σ ′ / r → Proven under the One-More RSA Assumption in 2001 → Perfectly Blind Signature O. Blazy (XLim) Blind Sig Feb 2014 8 / 50

  13. Round-Optimal Blind Signature Fischlin 06 The user encrypts his message m in c . The signer then signs c in σ . The user verifies σ . He then encrypts σ and c into C σ and C and generates a proof π . π : C σ is an encryption of a signature over the ciphertext c encrypted in C , and this c is indeed an encryption of m . Anyone can then use C , C σ , π to check the validity of the signature. O. Blazy (XLim) Blind Sig Feb 2014 9 / 50

  14. Vote A user should be able to encrypt a ballot. He should be able to sign this encryption. Receiving this vote, one should be able to randomize for Receipt-Freeness . E-Cash A user should be able to encrypt a token The bank should be able to sign it providing Unforgeability This signature should now be able to be randomized to provide Anonymity Our Solution Same underlying requirements; Advance security notions in both schemes requires to extract some kind of signature on the associated plaintext; General Framework for Signature on Randomizable Ciphertexts; � Revisited Waters, Commutative encryption / signature. O. Blazy (XLim) Blind Sig Feb 2014 10 / 50

  15. General Remarks 1 Building blocks 2 Bilinear groups aka Pairing-friendly environments Commitment / Encryption Signatures Security hypotheses Non-Interactive Proofs of Knowledge 3 Interactive Implicit Proofs 4 Can we do better? 5 O. Blazy (XLim) Blind Sig Feb 2014 11 / 50

  16. Asymmetric bilinear structure ( p , G 1 , G 2 , G T , e , g 1 , g 2 ) bilinear structure: G 1 , G 2 , G T multiplicative groups of order p p = prime integer � g ∗ � = G ∗ e : G × G → G T � e ( g 1 , g 2 ) � = G T e ( g a 1 , g b 2 ) = e ( g 1 , g 2 ) ab , a , b ∈ Z  deciding group membership,   group operations, efficiently computable.  bilinear map  O. Blazy (XLim) Blind Sig Feb 2014 12 / 50

  17. Definition (Encryption Scheme) E = ( Setup , EKeyGen , Encrypt , Decrypt ) : Setup ( 1 K ) : param; EKeyGen ( param ) : public encryption key pk, private decryption key dk; Encrypt ( pk , m ; r ) : ciphertext c on m ∈ M and pk; Decrypt ( dk , c ) : decrypts c under dk. Random E Encrypt SE pk , r r ′ F ( M ) r C dk Decrypt E Indistinguishability : Given M 0 , M 1 , it should be hard to guess which one is encrypted in C . O. Blazy (XLim) Blind Sig Feb 2014 13 / 50

  18. Definition (ElGamal Encryption) (84) Setup ( 1 K ) : Generates a multiplicative group ( p , G , g ) . $ ← Z p , and pk = ( X 1 = g µ ) . EKeyGen E ( param ) : dk = µ $ Encrypt ( pk = X 1 , M ; α ) : For M , and random α ← Z p , 1 , c 2 = g α · M � c 1 = X α � C = . Decrypt ( dk = ( µ ) , C = ( c 1 , c 2 )) : Computes M = c 2 / ( c 1 /µ ) . 1 Randomization Random ( pk , C ; r ) : C ′ = , g α + r · M X α + r � c 1 X r 1 , c 2 g r � � � = 1 O. Blazy (XLim) Blind Sig Feb 2014 14 / 50

  19. Definition (Commitment Scheme) E = ( Setup , Commit , Decommit ) : Setup ( 1 K ) : param , ck; $ Commit ( ck , m ; r ) : c on the input message m ∈ M using r ← R ; Decommit ( c , m ; w ) opens c and reveals m , together with w that proves the correct opening. Commit ck , r M C r Decommit O. Blazy (XLim) Blind Sig Feb 2014 15 / 50

  20. F ( M ) Definition (Signature Scheme) S = ( Setup , SKeyGen , Sign , Verif ) : Setup ( 1 K ) : param; Sign S sk ; s SKeyGen ( param ) : public verification key vk, private signing key sk; Sign ( sk , m ; s ) : signature σ on m , under sk; Verif ( vk , m , σ ) : checks whether σ is valid on m . s ′ σ ( F ) Random S Unforgeability : Given q pairs ( m i , σ i ) , it should be hard to output a valid σ on a fresh m . O. Blazy (XLim) Blind Sig Feb 2014 16 / 50

  21. Definition (Waters Signature) (Wat05) Setup S ( 1 K ) : Generates ( p , G , G T , e , g ) , an extra h , and ( u i ) for the Waters i u m i function ( F ( m ) = u 0 � i ) . $ ← Z p and outputs sk = h x , and vk = g x ; SKeyGen S ( param ) : Picks x Sign ( sk , m ; s ) : Outputs σ ( m ) = ( sk F ( m ) s , g s ) ; ? Verif ( vk , m , σ ) : Checks the validity of σ : e ( g , σ 1 ) = e ( F ( m ) , σ 2 ) · e ( vk , h ) Randomization Random ( σ ; r ) : σ ′ = sk F ( m ) r + s , g r + s � � σ 1 F ( m ) r , σ 2 g r � � = O. Blazy (XLim) Blind Sig Feb 2014 17 / 50

  22. Definition (DL) Given g , h ∈ G 2 , it is hard to compute α such that h = g α . Definition (CDH) Given g , g a , h ∈ G 3 , it is hard to compute h a . O. Blazy (XLim) Blind Sig Feb 2014 18 / 50

  23. General Remarks 1 Building blocks 2 Non-Interactive Proofs of Knowledge 3 Groth Sahai methodology Signature on Ciphertexts Application to other protocols Waters Programmability Interactive Implicit Proofs 4 Can we do better? 5 O. Blazy (XLim) Blind Sig Feb 2014 19 / 50

  24. Groth-Sahai Proof System Pairing product equation (PPE): for variables X 1 , . . . , X m ∈ G 1 n m m n � � � � e ( X i , Y j ) γ i , j = t T ( E ) : e ( A j , Y J ) e ( X i , B i ) j = 1 i = 1 i = 1 j = 1 determined by A i ∈ G 1 , B i ∈ G 2 , γ i , j ∈ Z p and t T ∈ G T . Groth-Sahai � WI proofs that elements that were committed satisfy PPE Setup ( G ) : commitment key ck ; Com( ck , X ∈ G ; ρ ): commitment � c X to X ; Prove( ck , ( X i , ρ i ) i = 1 ,..., n , ( E ) ): proof φ ; Verify( ck , � c X i , ( E ) , φ ): checks whether φ is valid. O. Blazy (XLim) Blind Sig Feb 2014 20 / 50

  25. Groth-Sahai Proof System Pairing product equation (PPE): for variables X 1 , . . . , X m ∈ G 1 n m m n � � � � e ( X i , Y j ) γ i , j = t T ( E ) : e ( A j , Y J ) e ( X i , B i ) j = 1 i = 1 i = 1 j = 1 determined by A i ∈ G 1 , B i ∈ G 2 , γ i , j ∈ Z p and t T ∈ G T . Groth-Sahai � WI proofs that elements that were committed satisfy PPE Setup ( G ) : commitment key ck ; Com( ck , X ∈ G ; ρ ): commitment � c X to X ; Prove( ck , ( X i , ρ i ) i = 1 ,..., n , ( E ) ): proof φ ; Verify( ck , � c X i , ( E ) , φ ): checks whether φ is valid. O. Blazy (XLim) Blind Sig Feb 2014 20 / 50

Recommend

Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler February 17,

Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler February 17,

Blind Signatures Ecash Fair Exchange Blind Coinswaps Tokens Conclusion Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler February 17, 2019 Blind Signatures in Scriptless Scripts Jonas Nick

607 views • 24 slides
Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler September 4,

Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler September 4,

Blind Signatures Ecash Fair Exchange Blind Coinswaps Tokens Conclusion Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler September 4, 2018 Blind Signatures in Scriptless Scripts Jonas Nick

374 views • 22 slides
On The Security of Unique- Witness Blind Signature Schemes December 2013 ASIACRYPT, Bangalore,

On The Security of Unique- Witness Blind Signature Schemes December 2013 ASIACRYPT, Bangalore,

On The Security of Unique- Witness Blind Signature Schemes December 2013 ASIACRYPT, Bangalore, India Foteini Baldimtsi, Anna Lysyanskaya 2 Blind Signatures [Chaum'82] Blind signatures are a special type of digital signatures. Signer is

439 views • 33 slides
Outline Round-Optimal Waters Blind Signatures David Pointcheval 1 Introduction Joint work with

Outline Round-Optimal Waters Blind Signatures David Pointcheval 1 Introduction Joint work with

Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Outline Round-Optimal Waters Blind Signatures David Pointcheval 1 Introduction Joint

366 views • 12 slides
Strengthened Security for Blind Signatures David Pointcheval Laboratoire dInformatique

Strengthened Security for Blind Signatures David Pointcheval Laboratoire dInformatique

Strengthened Security for Blind Signatures David Pointcheval Laboratoire dInformatique Ecole Normale Suprieure David.Pointcheval@ens.fr http://www.dmi.ens.fr/pointche Strengthened Security for Blind Signatures Summary Blind

370 views • 9 slides
Welcome to Risk-Based Health Inspections: Pass with Flying Colors Jeannie Sneed, PhD, RD, CP-FS

Welcome to Risk-Based Health Inspections: Pass with Flying Colors Jeannie Sneed, PhD, RD, CP-FS

2/16/2016 Welcome to Risk-Based Health Inspections: Pass with Flying Colors Jeannie Sneed, PhD, RD, CP-FS Sneed Consulting We will begin shortly jeannie@ jeanniesneed.com www.foodhandler.com FBI in the News Road to Success Norovirus

345 views • 13 slides
Flying Colors How Teamwork and Technology Drove the Success of Hinghams Route 3A Road Diet

Flying Colors How Teamwork and Technology Drove the Success of Hinghams Route 3A Road Diet

Flying Colors How Teamwork and Technology Drove the Success of Hinghams Route 3A Road Diet Pilot Program Corey OConnor, PE, Traffic & Safety Engineer Pamela Haznar, PE, Project Development Engineer David Giangrande, PE President

567 views • 29 slides
Blind Signatures Sanjam Garg Vanishree Rao Amit Sahai UCLA Dominique Schroeder*

Blind Signatures Sanjam Garg Vanishree Rao Amit Sahai UCLA Dominique Schroeder*

Round Optimal Blind Signatures Sanjam Garg Vanishree Rao Amit Sahai UCLA Dominique Schroeder* Dominique Unruh University of Maryland University of Tartu (http://eprint.iacr.org/2011/264) *Postdoctoral Fellow of the DAAD Blind

1.15k views • 22 slides
Practical Round-Optimal Blind Signatures in the Standard Model from Weaker Assumptions G.

Practical Round-Optimal Blind Signatures in the Standard Model from Weaker Assumptions G.

Practical Round-Optimal Blind Signatures in the Standard Model from Weaker Assumptions G. Fuchsbauer , C. Hanser C. Kamath , and D. Slamanig Ecole Normale Sup erieure, Paris IAIK, Graz University of Technology,

391 views • 21 slides
New Blind Signatures Equivalent to Factorization David Pointcheval Jacques Stern

New Blind Signatures Equivalent to Factorization David Pointcheval Jacques Stern

New Blind Signatures Equivalent to Factorization David Pointcheval Jacques Stern David.Pointcheval@info.unicaen.fr Jacques.Stern@ens.fr Universit e de Caen Ecole Normale Sup erieure GREYC Laboratoire dInformatique F 14000

378 views • 10 slides
Colors & Color Mixing Colors Where do colors come from ? What are the 3 basic color

Colors & Color Mixing Colors Where do colors come from ? What are the 3 basic color

Colors & Color Mixing Colors Where do colors come from ? What are the 3 basic color groups? Colors come from. . . 2 substances found in nature Dyes & Pigments more about colors Dyes come from plants, animals and

844 views • 20 slides
Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties Signatures Signatures with various functionality/properties Constructions come in different flavors (well sample each flavor): Signatures

1.55k views • 131 slides
Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And Putting It All Together Lecture 12 Digital Signatures Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s,

1.72k views • 142 slides
Group Signatures [CH91] preserve the anonymity of the signer. Blind Signatures [Cha83] preserve the

Group Signatures [CH91] preserve the anonymity of the signer. Blind Signatures [Cha83] preserve the

F ORMALIZING G ROUP B LIND S IGNATURES AND P RACTICAL C ONSTRUCTIONS WITHOUT R ANDOM O RACLES Essam Ghadafi ghadafi@cs.bris.ac.uk University of Bristol ACISP 2013 F ORMALIZING G ROUP B LIND S IGNATURES . . . O UTLINE B ACKGROUND 1 S ECURITY M

566 views • 42 slides
Lesson One: The uplift draft from each goose when flying in V formation increases flying

Lesson One: The uplift draft from each goose when flying in V formation increases flying

Four Lessons from Geese Lesson One: The uplift draft from each goose when flying in V formation increases flying range by 71% Lesson for teamwork: By significant co-ordination and working together the productivity rate is increased

466 views • 4 slides
N. Healing two blind men and a deaf mute Matthew 9:27 34 1. Matthew 9:27 These blind

N. Healing two blind men and a deaf mute Matthew 9:27 34 1. Matthew 9:27 These blind

N. Healing two blind men and a deaf mute Matthew 9:27 34 1. Matthew 9:27 These blind men called to Jesus using the Messianic title Son of David . Matthew implied that these blind men saw more than the Pharisees and other national leaders

639 views • 27 slides
Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Motivation Research Question Results Conclusion Notes Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from Standard Signatures Siamak Shahandashti 1 Rei Safavi-Naini 2 1 SCSSE & CCISR, Uni

465 views • 46 slides
1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Digital Signatures have looked at message authentication but does not address issues of lack of trust Chapter 13 Digital Signatures digital signatures provide the ability to:

361 views • 3 slides
Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils Fleischhacker Johannes Krupp Giulio Malavolta Jonas Schneider Dominique Schr oder Mark Simkin March 7, 2016 Sanitizable Signatures

577 views • 46 slides
What colors bear your country? What values are behind it? Colors A countrys flag has the

What colors bear your country? What values are behind it? Colors A countrys flag has the

What colors bear your country? What values are behind it? Colors A countrys flag has the ability to invoke a disparate set of sentiments: from pride to nostalgia, nationalism to racism among others. Values Whether being hoisted up a

227 views • 22 slides
Pipelining (part 1) 1 Human pipeline: laundry whites sheets sheets sheets colors colors

Pipelining (part 1) 1 Human pipeline: laundry whites sheets sheets sheets colors colors

Pipelining (part 1) 1 Human pipeline: laundry whites sheets sheets sheets colors colors colors whites whites whites colors colors colors whites whites 14:00 Washer 13:00 12:00 11:00 Table Folding Dryer Washer 14:00 13:00

1.11k views • 64 slides
Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s users require only secretkeys users require n 2 secretkeys Privately verifiable and non-transferable Same signature

764 views • 53 slides
Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the

Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the

Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the Importance of Leptonic Decays for Higgs Discovery) Brooks Thomas (The University of Arizona) Shufang Su & BT [arXiv:0903.0667] What do we know about

375 views • 26 slides
Mesothe Mesothe elioma elioma - Flying u Flying u nder the nder the Rad dar Dr.George K

Mesothe Mesothe elioma elioma - Flying u Flying u nder the nder the Rad dar Dr.George K

Mesothe Mesothe elioma elioma - Flying u Flying u nder the nder the Rad dar Dr.George K Karimundackal Consultant,Th C lt t Th h horacic Services i S i Tata Memo orial Hospital Backg Backg ground ground Malignant neoplas

501 views • 27 slides

More recommend