concurrent signatures
play

Concurrent Signatures Liqun Chen 1 , Caroline Kudla 2 and Kenneth G. - PowerPoint PPT Presentation

Feb 06, 2024 •6 likes •286 views

Concurrent Signatures Liqun Chen 1 , Caroline Kudla 2 and Kenneth G. Paterson 2 liqun.chen@hp.com, { c.j.kudla, kenny.paterson } @rhul.ac.uk 1 Hewlett-Packard Laboratories, Bristol, UK 2 Information Security Group Royal Holloway, University

  1. Concurrent Signatures Liqun Chen 1 , Caroline Kudla 2 ∗ and Kenneth G. Paterson 2 † liqun.chen@hp.com, { c.j.kudla, kenny.paterson } @rhul.ac.uk 1 Hewlett-Packard Laboratories, Bristol, UK 2 Information Security Group Royal Holloway, University of London, UK ∗ This author supported by Hewlett-Packard Laboratories. † This author supported by the Nuffield Foundation NUF-NAL02. EC04: Concurrent Signatures – p.1

  2. Contents of this Talk 1. Introduction to Concurrent Signatures 2. Comparison to Fair Exchange of Signatures 3. Applications of Concurrent Signatures 4. Technical Approach 5. Concrete Concurrent Signatures Scheme 6. Security Models and Results 7. Extensions and Open Problems 8. Concluding Remarks EC04: Concurrent Signatures – p.2

  3. Introduction to Concurrent Signatures A concurrent signature scheme is a signature scheme where: • Users can initially exchange non-binding signatures that are somehow linked, and • All signatures can concurrently be converted to full binding signatures. • Either no signatures are binding, or all signatures are. EC04: Concurrent Signatures – p.3

  4. The Building Blocks Ambiguous signatures: • Could have been produced by either of two parties, • Can convince other party but no-one else, • E.g. Two party ring signatures, designated verifier signatures. Keystone: • Seed for a keystone fix , • Release of keystone removes ambiguity. EC04: Concurrent Signatures – p.4

  5. How do Concurrent Signatures Work? Suppose entities A and B wish to exchange signatures on messages M A and M B respectively. A B k → keystone fix f σ A f → ambig. signature σ A − → EC04: Concurrent Signatures – p.5

  6. How do Concurrent Signatures Work? Suppose entities A and B wish to exchange signatures on messages M A and M B respectively. A B k → keystone fix f σ A f → ambig. signature σ A − → B verifies σ A σ B ← − f → ambig. signature σ B EC04: Concurrent Signatures – p.5

  7. How do Concurrent Signatures Work? Suppose entities A and B wish to exchange signatures on messages M A and M B respectively. A B k → keystone fix f σ A f → ambig. signature σ A − → B verifies σ A σ B ← − f → ambig. signature σ B A verifies σ B k A reveals k − → The pairs � σ A , k � and � σ B , k � are called concurrent signatures . EC04: Concurrent Signatures – p.5

  8. Fair Exchange of Signatures Fair exchange of signatures allow mutually distrustful parties to exchange signatures in a fair way. Fair means: Either each party obtains the other’s signature, or neither party does. Two main approaches to fair exchange of signatures: 1. Timed release of signatures, 2. Solutions involving a trusted third party. EC04: Concurrent Signatures – p.6

  9. Applications of Concurrent Signatures The Problem: A may never reveal the keystone to B . But: Same keystone validates both A and B ’s signatures, so either signature with keystone validates other signature. Existing mechanisms can guarantee delivery of keystone to B . So concurrent signatures are applicable when: EC04: Concurrent Signatures – p.7

  10. Applications of Concurrent Signatures The Problem: A may never reveal the keystone to B . But: Same keystone validates both A and B ’s signatures, so either signature with keystone validates other signature. Existing mechanisms can guarantee delivery of keystone to B . So concurrent signatures are applicable when: • A cannot withhold the keystone because she needs it to obtain a service from B . (E.g. Computer Depot) EC04: Concurrent Signatures – p.7

  11. Applications of Concurrent Signatures The Problem: A may never reveal the keystone to B . But: Same keystone validates both A and B ’s signatures, so either signature with keystone validates other signature. Existing mechanisms can guarantee delivery of keystone to B . So concurrent signatures are applicable when: • A cannot withhold the keystone because she needs it to obtain a service from B . (E.g. Computer Depot) • A cannot keep B ’s signature private in the long term (E.g. Credit card system). EC04: Concurrent Signatures – p.7

  12. Applications of Concurrent Signatures The Problem: A may never reveal the keystone to B . But: Same keystone validates both A and B ’s signatures, so either signature with keystone validates other signature. Existing mechanisms can guarantee delivery of keystone to B . So concurrent signatures are applicable when: • A cannot withhold the keystone because she needs it to obtain a service from B . (E.g. Computer Depot) • A cannot keep B ’s signature private in the long term (E.g. Credit card system). • A single third party C will verify both signatures (E.g. Politicians and press) EC04: Concurrent Signatures – p.7

  13. Technical Approach Ambiguous signature: Could be created by either of two parties. Keystone: Converts ambiguous signature into full binding signature. Approach: EC04: Concurrent Signatures – p.8

  14. Technical Approach Ambiguous signature: Could be created by either of two parties. Keystone: Converts ambiguous signature into full binding signature. Approach: 1. Ring signatures have desired ambiguity properties. EC04: Concurrent Signatures – p.8

  15. Technical Approach Ambiguous signature: Could be created by either of two parties. Keystone: Converts ambiguous signature into full binding signature. Approach: 1. Ring signatures have desired ambiguity properties. 2. Rivest et al. [RST01]: Signer can prove authorship by choosing certain bits pseudorandomly , and later reveal the seed used. EC04: Concurrent Signatures – p.8

  16. Technical Approach Ambiguous signature: Could be created by either of two parties. Keystone: Converts ambiguous signature into full binding signature. Approach: 1. Ring signatures have desired ambiguity properties. 2. Rivest et al. [RST01]: Signer can prove authorship by choosing certain bits pseudorandomly , and later reveal the seed used. We use the ring signature scheme of Abe et al. [AOS02] (an adaptation of Schnorr signature scheme [S91]). We call our seed a keystone , and use a cryptographic hash function to create the keystone fix from the keystone. EC04: Concurrent Signatures – p.8

  17. Definition of Scheme A concurrent signature scheme is a digital signature scheme comprised of the following algorithms: SETUP: On input a security parameter l , outputs the public parameters, a function KGEN, and the participants’ public and private keys. ASIGN: A probabilistic algorithm that produces an ambiguous signature on a message M . AVERIFY: An algorithm which verifies an ambiguous signature. VERIFY: An algorithm which takes a keystone and an ambiguous signature, verifies the ambiguous signature, and tests whether the keystone is valid. EC04: Concurrent Signatures – p.9

  18. The Concrete Scheme (1) SETUP: On input a security parameter l : • Select two large primes p and q s.t. q | p − 1 . • Select an element g ∈ Z ∗ p of order q . • Set the message and keystone spaces M , K = { 0 , 1 } ∗ , the signature and keystone fix spaces S , F ≡ Z q . • Select two cryptographic hash functions H 1 , H 2 : { 0 , 1 } ∗ → Z q and set KGEN= H 1 . • Select private keys x i ∈ R Z q and set the public keys X i = g x i mod p . EC04: Concurrent Signatures – p.10

  19. The Concrete Scheme (2) ASIGN: On input � X i , X j , x i , h 2 , M � , pick random t ∈ Z q and compute: h 2 mod p || M ) , h = H 2 ( g t X j h 1 = h − h 2 mod q , s = t − h 1 x i mod q. Output σ = � s, h 1 , h 2 � . AVERIFY: On input � σ, X i , X j , M � where σ = � s, h 1 , h 2 � , verify the equation h 1 + h 2 = H 2 ( g s X h 1 i X h 2 mod p || M ) mod q j Output accept or reject. EC04: Concurrent Signatures – p.11

  20. The Concrete Scheme (3) VERIFY: On input � k, S � where k ∈ K , S = � σ, X i , X j , M � , check if KGEN( k )= h 2 . If not, output reject, otherwise run AVERIFY ( S ) . EC04: Concurrent Signatures – p.12

  21. Security Model Security is defined via the following notions: Correctness: AVERIFY accepts signatures produced by ASIGN. Unforgeability: The adversary should not be able to create (ambiguous) signatures without the appropriate private key. Ambiguity: The adversary should not be able to distinguish which of two possible signers created an ambiguous signature. Fairness: If two ambiguous signatures use the same keystone fix f , then a keystone will either convert both signatures into full signatures, or neither. EC04: Concurrent Signatures – p.13

  22. Unforgeability Game We define existential unforgeability of a concurrent signature scheme under a chosen message attack using the following game between an adversary E and a challenger C . Setup: C runs SETUP for a security parameter l . E is given public parameters and the public keys { X i } . C retains the private keys { x i } . Queries: E can make the following queries to C : KGen Queries, KReveal Queries, ASign Queries, and Private Key Extract Queries. EC04: Concurrent Signatures – p.14

Recommend

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties Signatures Signatures with various functionality/properties Constructions come in different flavors (well sample each flavor): Signatures

1.55k views • 131 slides
Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And Putting It All Together Lecture 12 Digital Signatures Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s,

1.72k views • 142 slides
Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Motivation Research Question Results Conclusion Notes Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from Standard Signatures Siamak Shahandashti 1 Rei Safavi-Naini 2 1 SCSSE & CCISR, Uni

465 views • 46 slides
1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Digital Signatures have looked at message authentication but does not address issues of lack of trust Chapter 13 Digital Signatures digital signatures provide the ability to:

361 views • 3 slides
Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils Fleischhacker Johannes Krupp Giulio Malavolta Jonas Schneider Dominique Schr oder Mark Simkin March 7, 2016 Sanitizable Signatures

577 views • 46 slides
CONCURRENT COLLECTIONS 2 5/24/11 Concurrent Collec9ons

CONCURRENT COLLECTIONS 2 5/24/11 Concurrent Collec9ons

1 5/24/11 Concurrent Collec9ons CONCURRENT COLLECTIONS 2 5/24/11 Concurrent Collec9ons Acknowledgements Slides and material from Kathleen Knobe (Intel)

865 views • 20 slides
Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s users require only secretkeys users require n 2 secretkeys Privately verifiable and non-transferable Same signature

764 views • 53 slides
Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the

Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the

Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the Importance of Leptonic Decays for Higgs Discovery) Brooks Thomas (The University of Arizona) Shufang Su & BT [arXiv:0903.0667] What do we know about

375 views • 26 slides
Concurrent Enrollment A Guide for Parents and Students What is Concurrent Enrollment? Concurrent

Concurrent Enrollment A Guide for Parents and Students What is Concurrent Enrollment? Concurrent

Concurrent Enrollment A Guide for Parents and Students What is Concurrent Enrollment? Concurrent enrollment allows high school students to enroll in college courses and receive college credit. The College and Career Access Pathways (CCAP) program

555 views • 21 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-02-25 1 Outline Recap: security experiments Message space extension One-time signatures One-time signatures from one-way functions Digital

1.07k views • 48 slides
Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976

Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976

Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976 Diffie Hellman: Public-key signatures would allow verification by anyone, not just signer. Cool! Can we build a signature system? 1977 Rivest

743 views • 33 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-03-03 1 Outline Why assumptions? Efficient one-time signatures Digital Signatures 2020-03-03 2 Recap: Lamport EUF-1-CMA secure

1.14k views • 37 slides
The Petition 11 614 signatures so far, on-line and hard copy Raised in Parliament by Jacob

The Petition 11 614 signatures so far, on-line and hard copy Raised in Parliament by Jacob

The Petition 11 614 signatures so far, on-line and hard copy Raised in Parliament by Jacob Rees-Mogg Submitted to 10 Downing Street 21 March www.change.org Geographical spread of signatures Distribution of Signatures Bath East of

483 views • 13 slides
Mediated Signatures - Towards Advanced Undeniability of Digital Data in Technical Digital

Mediated Signatures - Towards Advanced Undeniability of Digital Data in Technical Digital

M. Kutyowski Mediated Signatures - Towards Advanced Undeniability of Digital Data in Technical Digital Signatures Qualified Signatures and Legal Framework Validity of the Signature Standard Implementation Risk Issues Reasons of

436 views • 42 slides
Concurrent Programming in Scala 1 / 7 Concurrent Programming 1 Concurrent programming:

Concurrent Programming in Scala 1 / 7 Concurrent Programming 1 Concurrent programming:

Concurrent Programming in Scala 1 / 7 Concurrent Programming 1 Concurrent programming: separate overlapping threads of execution, not necessarily run on separate processors/cores Parallel programming: separate threads of execution running

257 views • 7 slides
Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis

Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis

Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis Hofheinz ETH Zrich Quantum computers Grovers algorithm: speed up searches (N O(N)) Bigger problem for cryptography: Shors algorithm

468 views • 15 slides
Signatures and grammars Signatures and grammars Why manual disambiguation in SDF?

Signatures and grammars Signatures and grammars Why manual disambiguation in SDF?

Signatures and grammars Signatures and grammars Why manual disambiguation in SDF? Associativity of binary operators y g y y Fully declarative definition of syntax Priorities between binary operators Implicit disambiguation

281 views • 6 slides
Wednesday, May 15 Concurrent Sessions Concurrent Session #1 1A Birds of a Feather -

Wednesday, May 15 Concurrent Sessions Concurrent Session #1 1A Birds of a Feather -

Wednesday, May 15 Concurrent Sessions Concurrent Session #1 1A Birds of a Feather - Admissions, Recruitment & International Facilitator: Gordon Pellerin (Grande Prairie Regional College) 1B Birds of a Feather - General/Front Line/

439 views • 14 slides
Why attribute-based signatures? The kind of authentication required in an attribute-based system

Why attribute-based signatures? The kind of authentication required in an attribute-based system

Attribute-Based Signatures Hemanta K. Maji Manoj Prabhakaran Mike Rosulek November 22, 2010 Abstract We introduce Attribute-Based Signatures (ABS) , a versatile primitive that allows a party to sign a message with fine-grained

864 views • 35 slides
DTTF/NB479: Dszquphsbqiz Day 29 Announcements: Questions? This week: Digital signatures, DSA

DTTF/NB479: Dszquphsbqiz Day 29 Announcements: Questions? This week: Digital signatures, DSA

DTTF/NB479: Dszquphsbqiz Day 29 Announcements: Questions? This week: Digital signatures, DSA Flipping coins over the phone Why are digital signatures important? Compare with paper signatures Danger: Eve would like to use your

423 views • 7 slides
Concurrent Enrollment Board Policy 6172.1 May 13, 2020 Background Definition of concurrent

Concurrent Enrollment Board Policy 6172.1 May 13, 2020 Background Definition of concurrent

Concurrent Enrollment Board Policy 6172.1 May 13, 2020 Background Definition of concurrent enrollment MHS/PHS current practices Concurrent enrollment policy in other districts Aligns to District LCAP Goals What problems are we trying to

437 views • 10 slides
DTTF/NB479: Dszquphsbqiz Day 30 Announcements: Questions? This week: Digital signatures, DSA

DTTF/NB479: Dszquphsbqiz Day 30 Announcements: Questions? This week: Digital signatures, DSA

DTTF/NB479: Dszquphsbqiz Day 30 Announcements: Questions? This week: Digital signatures, DSA Coin flipping over the phone RSA Signatures allow you to recover the message from the signature; ElGamal signatures dont ElGamal Sig

410 views • 14 slides
What is Concurrent Programming? M. Ben-Ari Principles of Concurrent and Distributed Programming

What is Concurrent Programming? M. Ben-Ari Principles of Concurrent and Distributed Programming

CoSc 450: Programming Paradigms 01 What is Concurrent Programming? M. Ben-Ari Principles of Concurrent and Distributed Programming Second Edition Addison-Wesley, 2006 c Mordechai Ben-Ari 2006 Computer Time - 0 100 200 300 400

711 views • 15 slides
Synchronized Aggregate Signatures from the RSA Assumption Brent Waters Susan Hohenberger

Synchronized Aggregate Signatures from the RSA Assumption Brent Waters Susan Hohenberger

Synchronized Aggregate Signatures from the RSA Assumption Brent Waters Susan Hohenberger Aggregate Signatures [Boneh-Gentry-Lynn-Shacham03] Idea: Compress several signatures into one PK 3 PK 1 PK 2 PK n M 3 M 1 M 2 M n Sig 1 Sig 2 Sig

646 views • 23 slides

More recommend