construction of universal designated verifier signatures
play

Construction of Universal Designated-Verifier Signatures and - PowerPoint PPT Presentation

Dec 17, 2023 •5 likes •465 views

Motivation Research Question Results Conclusion Notes Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from Standard Signatures Siamak Shahandashti 1 Rei Safavi-Naini 2 1 SCSSE & CCISR, Uni

  1. Motivation Research Question Results Conclusion Notes Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from Standard Signatures Siamak Shahandashti 1 Rei Safavi-Naini 2 1 SCSSE & CCISR, Uni Wollongong, Australia www.uow.edu.au/ ∼ sfs166 2 Dept Comp Sci & iCIS, Uni Calgary, Canada www.cpsc.ucalgary.ca/ ∼ rei PKC 2008 UDVS & IBS from Signatures Universities of Wollongong and Calgary

  2. Motivation Research Question Results Conclusion Notes Outline Motivation Universal Designated-Verifier Signatures Identity-Based Signatures Research Question Research Question Formulation of Patterns Results Our UDVS Construction and Its Security Our IBS Construction and Its Security Conclusion Concluding Remarks Notes Final Notes UDVS & IBS from Signatures Universities of Wollongong and Calgary

  3. Motivation Research Question Results Conclusion Notes Universal Designated-Verifier Signatures What’s a Universal Designated-Verifier Signature? a.k.a. UDVS ◮ Basically: a signature scheme with an extra functionality ◮ Goal: to protect user privacy when using credentials ◮ Idea: transform signature s.t. it only convinces a particular verifier Credential Issuer Credential Holder Credential Verifier pk s , sk v , m, ˆ sk s , m pk s , pk v , m, σ σ σ ˆ σ σ ˆ σ d Sign Desig DVer UDVS & IBS from Signatures Universities of Wollongong and Calgary

  4. Motivation Research Question Results Conclusion Notes Universal Designated-Verifier Signatures What’s a Universal Designated-Verifier Signature? a.k.a. UDVS ◮ Basically: a signature scheme with an extra functionality ◮ Goal: to protect user privacy when using credentials ◮ Idea: transform signature s.t. it only convinces a particular verifier Credential Issuer Credential Holder Credential Verifier pk s , sk v , m, ˆ sk s , m pk s , pk v , m, σ σ σ ˆ σ σ ˆ σ d Sign Desig DVer UDVS & IBS from Signatures Universities of Wollongong and Calgary

  5. Motivation Research Question Results Conclusion Notes Universal Designated-Verifier Signatures What’s a Universal Designated-Verifier Signature? a.k.a. UDVS ◮ Basically: a signature scheme with an extra functionality ◮ Goal: to protect user privacy when using credentials ◮ Idea: transform signature s.t. it only convinces a particular verifier Credential Issuer Credential Holder Credential Verifier pk s , sk v , m, ˆ sk s , m pk s , pk v , m, σ σ σ ˆ σ σ ˆ σ d Sign Desig DVer UDVS & IBS from Signatures Universities of Wollongong and Calgary

  6. Motivation Research Question Results Conclusion Notes Universal Designated-Verifier Signatures How can we construct a UDVS? ◮ ˆ σ is a designated-verifier non-interactive proof of holding a valid signature on m . ◮ Jakobsson et al’s intuition to verifier designation: “Instead of proving X, Alice will prove the statement: Either X is true, or I am Bob.” ◮ In the Random Oracle Model, non-interactive proofs can be constructed using Fiat-Shamir heuristic from Σ protocols. ◮ So the only things we need are: ◮ A Σ protocol for proof of knowledge of a signature on a message, and ◮ A Σ protocol for proof of knowledge of the verifier’s secret key. UDVS & IBS from Signatures Universities of Wollongong and Calgary

  7. Motivation Research Question Results Conclusion Notes Universal Designated-Verifier Signatures How can we construct a UDVS? ◮ ˆ σ is a designated-verifier non-interactive proof of holding a valid signature on m . ◮ Jakobsson et al’s intuition to verifier designation: “Instead of proving X, Alice will prove the statement: Either X is true, or I am Bob.” ◮ In the Random Oracle Model, non-interactive proofs can be constructed using Fiat-Shamir heuristic from Σ protocols. ◮ So the only things we need are: ◮ A Σ protocol for proof of knowledge of a signature on a message, and ◮ A Σ protocol for proof of knowledge of the verifier’s secret key. UDVS & IBS from Signatures Universities of Wollongong and Calgary

  8. Motivation Research Question Results Conclusion Notes Universal Designated-Verifier Signatures How can we construct a UDVS? ◮ ˆ σ is a designated-verifier non-interactive proof of holding a valid signature on m . ◮ Jakobsson et al’s intuition to verifier designation: “Instead of proving X, Alice will prove the statement: Either X is true, or I am Bob.” ◮ In the Random Oracle Model, non-interactive proofs can be constructed using Fiat-Shamir heuristic from Σ protocols. ◮ So the only things we need are: ◮ A Σ protocol for proof of knowledge of a signature on a message, and ◮ A Σ protocol for proof of knowledge of the verifier’s secret key. UDVS & IBS from Signatures Universities of Wollongong and Calgary

  9. Motivation Research Question Results Conclusion Notes Universal Designated-Verifier Signatures How can we construct a UDVS? ◮ ˆ σ is a designated-verifier non-interactive proof of holding a valid signature on m . ◮ Jakobsson et al’s intuition to verifier designation: “Instead of proving X, Alice will prove the statement: Either X is true, or I am Bob.” ◮ In the Random Oracle Model, non-interactive proofs can be constructed using Fiat-Shamir heuristic from Σ protocols. ◮ So the only things we need are: ◮ A Σ protocol for proof of knowledge of a signature on a message, and ◮ A Σ protocol for proof of knowledge of the verifier’s secret key. UDVS & IBS from Signatures Universities of Wollongong and Calgary

  10. Motivation Research Question Results Conclusion Notes Identity-Based Signatures How can we construct an Identity-Based Signature? a.k.a. IBS Key Issuer User Verifier msk, id usk, m mpk, id, m, σ usk σ usk σ d UKeyGen Desig DVer ◮ σ is a signature on m that shows the signer has knowledge of usk ◮ In the Random Oracle Model, signatures can be constructed using Fiat-Shamir heuristic from Σ protocols. ◮ So again the only thing we need is: ◮ A Σ protocol for proof of knowledge of a signature on a message. UDVS & IBS from Signatures Universities of Wollongong and Calgary

  11. Motivation Research Question Results Conclusion Notes Identity-Based Signatures How can we construct an Identity-Based Signature? a.k.a. IBS Key Issuer User Verifier msk, id usk, m mpk, id, m, σ usk σ usk σ d UKeyGen Desig DVer ◮ σ is a signature on m that shows the signer has knowledge of usk ◮ In the Random Oracle Model, signatures can be constructed using Fiat-Shamir heuristic from Σ protocols. ◮ So again the only thing we need is: ◮ A Σ protocol for proof of knowledge of a signature on a message. UDVS & IBS from Signatures Universities of Wollongong and Calgary

  12. Motivation Research Question Results Conclusion Notes Identity-Based Signatures How can we construct an Identity-Based Signature? a.k.a. IBS Key Issuer User Verifier msk, id usk, m mpk, id, m, σ usk σ usk σ d UKeyGen Desig DVer ◮ σ is a signature on m that shows the signer has knowledge of usk ◮ In the Random Oracle Model, signatures can be constructed using Fiat-Shamir heuristic from Σ protocols. ◮ So again the only thing we need is: ◮ A Σ protocol for proof of knowledge of a signature on a message. UDVS & IBS from Signatures Universities of Wollongong and Calgary

  13. Motivation Research Question Results Conclusion Notes Identity-Based Signatures How can we construct an Identity-Based Signature? a.k.a. IBS Key Issuer User Verifier msk, id usk, m mpk, id, m, σ usk σ usk σ d UKeyGen Desig DVer ◮ σ is a signature on m that shows the signer has knowledge of usk ◮ In the Random Oracle Model, signatures can be constructed using Fiat-Shamir heuristic from Σ protocols. ◮ So again the only thing we need is: ◮ A Σ protocol for proof of knowledge of a signature on a message. UDVS & IBS from Signatures Universities of Wollongong and Calgary

  14. Motivation Research Question Results Conclusion Notes Research Question So, What’s the problem Then? Although any NP relation has a Σ protocol, these generic protocols are normally not efficient! Is there any more efficient way to do it? UDVS & IBS from Signatures Universities of Wollongong and Calgary

  15. Motivation Research Question Results Conclusion Notes Formulation of Patterns Yes, There Is a Way! We don’t actually need strict honest-verifier zero-knowledge! Example Schnorr signature: c = H ( g z · h − c , m ) pk = ( p , q , g , h = g x ) , σ = ( c , z ) : To prove knowledge of a signature aux = g z · h − c ◮ give out g z = aux · h H ( aux , m ) ◮ prove knowledge of z : UDVS & IBS from Signatures Universities of Wollongong and Calgary

  16. Motivation Research Question Results Conclusion Notes Formulation of Patterns Yes, There Is a Way! We don’t actually need strict honest-verifier zero-knowledge! Example Schnorr signature: c = H ( g z · h − c , m ) pk = ( p , q , g , h = g x ) , σ = ( c , z ) : To prove knowledge of a signature aux = g z · h − c ◮ give out g z = aux · h H ( aux , m ) ◮ prove knowledge of z : UDVS & IBS from Signatures Universities of Wollongong and Calgary

Recommend

Designated Verifier Signatures: Attacks, New Definitions and Constructions Helger Lipmaa

Designated Verifier Signatures: Attacks, New Definitions and Constructions Helger Lipmaa

Estonian Theory Days, Koke, Estonia Designated Verifier Signatures: Attacks, New Definitions and Constructions Helger Lipmaa Helsinki University of Technology, Finland Guilin Wang and Feng Bao Institute of Infocomm Research, Singapore Koke,

732 views • 37 slides
Designated Verifier Signature Schemes - An Overview Liina Kamm October 10, 2005 Structure

Designated Verifier Signature Schemes - An Overview Liina Kamm October 10, 2005 Structure

Designated Verifier Signature Schemes - An Overview Liina Kamm October 10, 2005 Structure The Jakobsson-Sako-Impagliazzo Scheme Security notions for DVS schemes DVS Scheme with tight reduction to DDH in NPRO Universal Designated

620 views • 42 slides
Efficient Designated-Verifier Non- Interactive Zero-Knowledge Proofs of Knowledge Pyrros Chaidos,

Efficient Designated-Verifier Non- Interactive Zero-Knowledge Proofs of Knowledge Pyrros Chaidos,

Efficient Designated-Verifier Non- Interactive Zero-Knowledge Proofs of Knowledge Pyrros Chaidos, Geoffroy Couteau 1 /11 Zero-Knowledge Proof prover verifier Complete: if P knows a solution, V accepts Sound: if there is no solution, P

1.25k views • 27 slides
Universal algebra Basics of universal algebra: signatures and algebras homomorphisms,

Universal algebra Basics of universal algebra: signatures and algebras homomorphisms,

Universal algebra Basics of universal algebra: signatures and algebras homomorphisms, subalgebras, congruences equations and varieties equational calculus equational specifications and initial algebras variations: partial

866 views • 32 slides
Hashes & MAC. Digital Signatures Lecture 16 One-time MAC With 2-Universal Hash Functions

Hashes & MAC. Digital Signatures Lecture 16 One-time MAC With 2-Universal Hash Functions

Hashes & MAC. Digital Signatures Lecture 16 One-time MAC With 2-Universal Hash Functions Trivial (very inefficient) solution (to sign a single n bit message): r 10 r 20 r 30 Key: 2n random strings (each k-bit long) (r i0 ,r i1 ) i=1..n r 11

531 views • 10 slides
THE UNIVERSAL TRANSACTIONAL MEMORY CONSTRUCTION Jons-Tobias Wamhoff and Christof Fetzer Dresden

THE UNIVERSAL TRANSACTIONAL MEMORY CONSTRUCTION Jons-Tobias Wamhoff and Christof Fetzer Dresden

THE UNIVERSAL TRANSACTIONAL MEMORY CONSTRUCTION Jons-Tobias Wamhoff and Christof Fetzer Dresden University of Technology, Germany 1 MOTIVATION Universal construction Shows how to convert sequential algorithm into concurrent wait-free

331 views • 20 slides
Explicit construction of universal structures Jan Hubi cka Charles University Prague Joint

Explicit construction of universal structures Jan Hubi cka Charles University Prague Joint

Explicit construction of universal structures Jan Hubi cka Charles University Prague Joint work with Jarik Neet ril Workshop on Homogeneous Structures 2011 Jan Hubi cka Explicit construction of universal structures Universal

990 views • 59 slides
Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties Signatures Signatures with various functionality/properties Constructions come in different flavors (well sample each flavor): Signatures

1.55k views • 131 slides
Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And Putting It All Together Lecture 12 Digital Signatures Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s,

1.72k views • 142 slides
INTEGRA Universal water tanks ver.04.2013 1 Construction, operation principle 2 2 INTEGRA

INTEGRA Universal water tanks ver.04.2013 1 Construction, operation principle 2 2 INTEGRA

INTEGRA Universal water tanks ver.04.2013 1 Construction, operation principle 2 2 INTEGRA universal water tanks General features INTEGRA series Universal water heaters used for DHW heating and CH support Integrated DHW tank

419 views • 26 slides
From Barrier-free Accessibility to Universal Design Ms GOH Siam Imm, Building and Construction

From Barrier-free Accessibility to Universal Design Ms GOH Siam Imm, Building and Construction

From Barrier-free Accessibility to Universal Design Ms GOH Siam Imm, Building and Construction Authority, Singapore Edited transcript of presentation to 2 nd Australian Universal Design Conference 2016 Today I'm going to share the Singapore

75 views • 4 slides
Adding Aerosol Cans to the Universal Waste Regulations Where does Universal Waste fit? HAZARDOUS

Adding Aerosol Cans to the Universal Waste Regulations Where does Universal Waste fit? HAZARDOUS

Adding Aerosol Cans to the Universal Waste Regulations Where does Universal Waste fit? HAZARDOUS WASTES SOLID WASTES UNIVERSAL WASTES - Universal waste categories must be hazardous waste before they can be designated as universal wastes -

810 views • 40 slides
AVERIST: An Algorithmic VERifier for STability AVERIST ARCHITECTURE AVERIST architecture Linear

AVERIST: An Algorithmic VERifier for STability AVERIST ARCHITECTURE AVERIST architecture Linear

AVERIST: An Algorithmic VERifier for STability AVERIST ARCHITECTURE AVERIST architecture Linear PSS expressions AVERIST State-space partition Weighted ABSTRACTION MODEL-CHECKING Graph analysis graph Graph construction Counterexample

448 views • 21 slides
A decomposition of the tripos-to-topos construction Jonas Frey June 2010 Part 1 A universal

A decomposition of the tripos-to-topos construction Jonas Frey June 2010 Part 1 A universal

A decomposition of the tripos-to-topos construction Jonas Frey June 2010 Part 1 A universal characterization of the tripos-to-topos construction A universal characterization of the tripos-to-topos construction What should a universal

748 views • 46 slides
Developmental Services In Vermont Designated Agency System The Designated System operates on

Developmental Services In Vermont Designated Agency System The Designated System operates on

1/10/2019 Developmental Services In Vermont Designated Agency System The Designated System operates on a zero reject premise Ten Designated Agencies each responsible for a geographic region Eligibility Determination Assessment of

314 views • 5 slides
On a general construction of countable universal homogeneous algebraic systems Dragan Ma

On a general construction of countable universal homogeneous algebraic systems Dragan Ma

On a general construction of countable universal homogeneous algebraic systems Dragan Ma sulovi c Department of Mathematics and Informatics University of Novi Sad, Serbia (joint work with Wiesav Kubi s) AAA 88, Warsaw, 1922 June

384 views • 14 slides
1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Digital Signatures have looked at message authentication but does not address issues of lack of trust Chapter 13 Digital Signatures digital signatures provide the ability to:

361 views • 3 slides
Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils Fleischhacker Johannes Krupp Giulio Malavolta Jonas Schneider Dominique Schr oder Mark Simkin March 7, 2016 Sanitizable Signatures

577 views • 46 slides
Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s users require only secretkeys users require n 2 secretkeys Privately verifiable and non-transferable Same signature

764 views • 53 slides
Designated Agency Funding Structure Vermont Care Partners Designated and Special Services

Designated Agency Funding Structure Vermont Care Partners Designated and Special Services

Designated Agency Funding Structure Vermont Care Partners Designated and Special Services Agencies Finance Directors December 2, 2015 What Do We Do? Designated Agencies (DAs) have a statutory responsibility to meet all of the

838 views • 26 slides
Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the

Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the

Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the Importance of Leptonic Decays for Higgs Discovery) Brooks Thomas (The University of Arizona) Shufang Su & BT [arXiv:0903.0667] What do we know about

375 views • 26 slides
Building a Haskell Verifier out of component theories Dick Kieburtz WG2.8, Frauenchiemsee, June

Building a Haskell Verifier out of component theories Dick Kieburtz WG2.8, Frauenchiemsee, June

Building a Haskell Verifier out of component theories Dick Kieburtz WG2.8, Frauenchiemsee, June 2009 Why a verifier for Haskell, in particular? Feasibility: Theres a recognized, stable version that is pretty well defined Haskell

403 views • 19 slides
Universal Credit Universal Credit Universal Credit is for working-age people aged over 18 and

Universal Credit Universal Credit Universal Credit is for working-age people aged over 18 and

Universal Credit Universal Credit Universal Credit is for working-age people aged over 18 and under State Pension age. Universal Credit will replace a number of current benefits: income-based Jobseekers Allowance (JSA);

332 views • 14 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-02-25 1 Outline Recap: security experiments Message space extension One-time signatures One-time signatures from one-way functions Digital

1.07k views • 48 slides

More recommend