HOW TO AGGREGATE THE CL SIGNATURE SCHEME Dominique Schroeder* University of Maryland, USA *Partly supported by a DAAD postdoctoral fellowship
AGGREGATE SIGNATURES (Boneh, Gentry, Lynn, and Shacham) sk 1 , m 1 sk i , m i sk n , m n . . . . . . σ 1 σ i σ n (trivial) „aggregator“ ESORICS 2011 Dominique Schröder 2
AGGREGATE SIGNATURES (Boneh, Gentry, Lynn, and Shacham) sk 1 , m 1 sk i , m i sk n , m n . . . . . . same size as an ordinary signature!!! σ 1 σ i σ n „aggregator“ ESORICS 2011 Dominique Schröder 3
ROAD MAP Applications Security model Related Work Bilinear Maps Our Construction ESORICS 2011 Dominique Schröder 4
APPLICATIONS OF AGGREGATE SIGNATURES (Boneh, Gentry, Lynn, and Shacham) Secure Routing Short Signatures Compression of Certificate Chains Short Group Sig Compression of Authenticated Data .... bandwidth saving! ESORICS 2011 Dominique Schröder 5
APPLICATIONS OF AGGREGATE SIGNATURES (Boneh, Gentry, Lynn, and Shacham) (pk 1 ,m 1 , σ ) (pk 1 , pk 2, m 1 , m 2, σ ) (pk 1 , pk 2 ,..., m 1 , m 2, ,..., σ ) Sequential aggregate signature Key size?? ESORICS 2011 Dominique Schröder 6
SECURITY OF AGGREGATE SIGNATURES (Boneh, Lynn, and Shacham) sk � sk �� pk sk m σ sk sk ��� ( m 1 , pk 1 ) , . . . , ( m i , pk i ) , . . . , ( m n , pk n ) , σ ESORICS 2011 Dominique Schröder 7
SECURITY OF AGGREGATE SIGNATURES (Boneh, Lynn, and Shacham) adversary wins if: 1) (m 1 ,pk 1 ,..., m i ,pk i ,..., m n ,pk n , σ ) valid 2) Never queried the oracle about m i 3) Registered key: all keys (sk i ,pk i ) are registered sk m σ ESORICS 2011 Dominique Schröder 8
RELATED WORK Aggregate and Verifiably Encrypted Signatures from Bilinear Maps BGLS (ROM, non sequential, EUROCRYPT 2003) Sequential Aggregate Signatures from Trapdoor Permutations LMRS (ROM, sequential, EUROCRYPT 2004) Aggregate Signatures and Multisignatures Without Random Oracles LOSSW (sequential, large keys!, EUROCRYPT 2006) Efficient Sequential Aggregate Signed Data Neven (ROM, EUROCRYPT 2008) ESORICS 2011 Dominique Schröder 9
BILINEAR MAPS G, G T e: G x G -> G T g generator of G, e(g,g) generator of G T Non degenerate e(g,g) ≠ 1 e(g a ,g b ) = e(g,g) ab ESORICS 2011 Dominique Schröder 10
CL SIGNATURE SCHEME secure under the interactive LRSW assumption Kg: x,y <- Z p X := g x , Y := g y Sign: r <- Z p , a := g r , b := g ry , c := g r(x+Mxy) Vf: e(a,Y) = e(g,b) , e(X,a) * e(X,b) M =e(g,c) e(a,Y) = e(g r ,g y ) = e(g,g) ry = e(g,g ry ) = e(g,b) e(X,a) * e(X,b) M = e(g x ,g r ) * e(g x , g ry ) M = e(g,g) xr * e(g, g) xryM = e(g,g) xr+xryM = e(g,g) r(x+xyM) = e(g,g r(x+xyM) ) = e(g,c) ESORICS 2011 Dominique Schröder 11
OUR CONSTRUCTION Challenges Randomized signature: a := g r , b := g ry , c := g r(x+Mxy) Use ‘a’ from the previous signer re-randomize the signature afterwards. Cross-Terms public keys g a , g b and signatures S a and S b with Vf: e(g a , S a ) e(g a g b , S a S b ) = e(g a , S a S b ) e(g b , S a S b ) = e(g a , S a ) e(g b , S a ) e(g a , S b ) e(g b , S b ) ESORICS 2011 Dominique Schröder 12
RANDOMIZING sk=(x’,y’), pk=(X’,Y’) Randomized signature: a := g r , b := g ry , c := g r(x+Mxy) a’ := a b’ := a y‘ = g ry‘ c’:= a x’+Mx’y’ =g r(x’+Mx’y’) Re-randomizing: pick r’ a’ r’ := g rr’ b’ r’ := a y‘r’ = g rr’y‘ c’ r’ := a r’(x’+Mx’y’) =g r r’(x’+Mx’y’) ESORICS 2011 Dominique Schröder 13
CROSS TERMS Aggregate Extension Technique public keys g a , g b and signatures S a and S b with Vf: e(g a , S a ) e(g a g b , S a S b ) = e(g a , S a S b ) e(g b , S a S b ) = e(g a , S a ) e(g b , S b ) e(g b , S a ) e(g a , S b ) Extend the aggregate Signer a sends g a , S a Compute g b , S b Extend the aggregate by D:=S a g -b (S b ) -1 g a e(g a g b , S a S b ) e(D,g) = e(g a , S a S b ) e(g b , S a S b ) e(g,S a g -b (S b ) -1 g a ) ESORICS 2011 Dominique Schröder 14
OUR SCHEME a := g r , b := g ry , c := g r(x+Mxy) a := g r , b’ := g ry’ , c’ := g r(x’+M’x’y’) Aggregate A:= a , B := bb’= g r(y+y’) , C:=cc’ Verification: Π e(X i ,A)e(X i ,B) M i = e(g,C) Π e(X i ,B) M i = e(X,B) M e(X’,B) M‘ = e(g,B) xM e(g,B) x’M‘ = e(g,A y+y’ ) xM+x’M‘ = e(g,g r ) xyM+x’y’M‘+xy’M+x’yM‘ Extend D := X y’M Y x’M‘ = g x’yM‘+xy’M ESORICS 2011 Dominique Schröder 15
OUR SCHEME Structure of the aggregate A = g r , B = Π g ryi , C = Π g r(xi+Mixiyi) , D = Π i ≠ j g Mixiyj Key Generation X:=g x and Y:=g y Sequential Signing σ =(A,B,C,D) a:= A , b := BA y , c = CA x+Mxy , d = D Π i X jxMj Y xM pick r’: A := a r’ ; B := b r‘ ; C := c r’ ; D := d ESORICS 2011 Dominique Schröder 16
OUR SCHEME CL Vf: e(a,Y) = e(g,b) , e(X,a) * e(X,b) M =e(g,c) Verification: e(A, Π i Y i ) = e(g,B) Π i e(X i ,Y j ) Mi =e(g,D) Π i (e(X i ,A) e(X i ,B) Mi ) = e(g,C) e(A,D) -1 ESORICS 2011 Dominique Schröder 17
OPEN PROBLEMS Non-sequential aggregate signature in the standard model Scheme with short keys based on a non-interactive assumption Construction secure outside the KOSK Construction with short keys outside the KOSK ESORICS 2011 Dominique Schröder 18
THANKS! QUESTIONS? ESORICS 2011 Dominique Schröder 19
Recommend
More recommend