how to aggregate the cl signature scheme
play

HOW TO AGGREGATE THE CL SIGNATURE SCHEME Dominique Schroeder* - PowerPoint PPT Presentation

HOW TO AGGREGATE THE CL SIGNATURE SCHEME Dominique Schroeder* University of Maryland, USA *Partly supported by a DAAD postdoctoral fellowship AGGREGATE SIGNATURES (Boneh, Gentry, Lynn, and Shacham) sk 1 , m 1 sk i , m i sk n , m n . . . . .


  1. HOW TO AGGREGATE THE CL SIGNATURE SCHEME Dominique Schroeder* University of Maryland, USA *Partly supported by a DAAD postdoctoral fellowship

  2. AGGREGATE SIGNATURES (Boneh, Gentry, Lynn, and Shacham) sk 1 , m 1 sk i , m i sk n , m n . . . . . . σ 1 σ i σ n (trivial) „aggregator“ ESORICS 2011 Dominique Schröder 2

  3. AGGREGATE SIGNATURES (Boneh, Gentry, Lynn, and Shacham) sk 1 , m 1 sk i , m i sk n , m n . . . . . . same size as an ordinary signature!!! σ 1 σ i σ n „aggregator“ ESORICS 2011 Dominique Schröder 3

  4. ROAD MAP Applications Security model Related Work Bilinear Maps Our Construction ESORICS 2011 Dominique Schröder 4

  5. APPLICATIONS OF AGGREGATE SIGNATURES (Boneh, Gentry, Lynn, and Shacham) Secure Routing Short Signatures Compression of Certificate Chains Short Group Sig Compression of Authenticated Data .... bandwidth saving! ESORICS 2011 Dominique Schröder 5

  6. APPLICATIONS OF AGGREGATE SIGNATURES (Boneh, Gentry, Lynn, and Shacham) (pk 1 ,m 1 , σ ) (pk 1 , pk 2, m 1 , m 2, σ ) (pk 1 , pk 2 ,..., m 1 , m 2, ,..., σ ) Sequential aggregate signature Key size?? ESORICS 2011 Dominique Schröder 6

  7. SECURITY OF AGGREGATE SIGNATURES (Boneh, Lynn, and Shacham) sk � sk �� pk sk m σ sk sk ��� ( m 1 , pk 1 ) , . . . , ( m i , pk i ) , . . . , ( m n , pk n ) , σ ESORICS 2011 Dominique Schröder 7

  8. SECURITY OF AGGREGATE SIGNATURES (Boneh, Lynn, and Shacham) adversary wins if: 1) (m 1 ,pk 1 ,..., m i ,pk i ,..., m n ,pk n , σ ) valid 2) Never queried the oracle about m i 3) Registered key: all keys (sk i ,pk i ) are registered sk m σ ESORICS 2011 Dominique Schröder 8

  9. RELATED WORK Aggregate and Verifiably Encrypted Signatures from Bilinear Maps BGLS (ROM, non sequential, EUROCRYPT 2003) Sequential Aggregate Signatures from Trapdoor Permutations LMRS (ROM, sequential, EUROCRYPT 2004) Aggregate Signatures and Multisignatures Without Random Oracles LOSSW (sequential, large keys!, EUROCRYPT 2006) Efficient Sequential Aggregate Signed Data Neven (ROM, EUROCRYPT 2008) ESORICS 2011 Dominique Schröder 9

  10. BILINEAR MAPS G, G T e: G x G -> G T g generator of G, e(g,g) generator of G T Non degenerate e(g,g) ≠ 1 e(g a ,g b ) = e(g,g) ab ESORICS 2011 Dominique Schröder 10

  11. CL SIGNATURE SCHEME secure under the interactive LRSW assumption Kg: x,y <- Z p X := g x , Y := g y Sign: r <- Z p , a := g r , b := g ry , c := g r(x+Mxy) Vf: e(a,Y) = e(g,b) , e(X,a) * e(X,b) M =e(g,c) e(a,Y) = e(g r ,g y ) = e(g,g) ry = e(g,g ry ) = e(g,b) e(X,a) * e(X,b) M = e(g x ,g r ) * e(g x , g ry ) M = e(g,g) xr * e(g, g) xryM = e(g,g) xr+xryM = e(g,g) r(x+xyM) = e(g,g r(x+xyM) ) = e(g,c) ESORICS 2011 Dominique Schröder 11

  12. OUR CONSTRUCTION Challenges Randomized signature: a := g r , b := g ry , c := g r(x+Mxy) Use ‘a’ from the previous signer re-randomize the signature afterwards. Cross-Terms public keys g a , g b and signatures S a and S b with Vf: e(g a , S a ) e(g a g b , S a S b ) = e(g a , S a S b ) e(g b , S a S b ) = e(g a , S a ) e(g b , S a ) e(g a , S b ) e(g b , S b ) ESORICS 2011 Dominique Schröder 12

  13. RANDOMIZING sk=(x’,y’), pk=(X’,Y’) Randomized signature: a := g r , b := g ry , c := g r(x+Mxy) a’ := a b’ := a y‘ = g ry‘ c’:= a x’+Mx’y’ =g r(x’+Mx’y’) Re-randomizing: pick r’ a’ r’ := g rr’ b’ r’ := a y‘r’ = g rr’y‘ c’ r’ := a r’(x’+Mx’y’) =g r r’(x’+Mx’y’) ESORICS 2011 Dominique Schröder 13

  14. CROSS TERMS Aggregate Extension Technique public keys g a , g b and signatures S a and S b with Vf: e(g a , S a ) e(g a g b , S a S b ) = e(g a , S a S b ) e(g b , S a S b ) = e(g a , S a ) e(g b , S b ) e(g b , S a ) e(g a , S b ) Extend the aggregate Signer a sends g a , S a Compute g b , S b Extend the aggregate by D:=S a g -b (S b ) -1 g a e(g a g b , S a S b ) e(D,g) = e(g a , S a S b ) e(g b , S a S b ) e(g,S a g -b (S b ) -1 g a ) ESORICS 2011 Dominique Schröder 14

  15. OUR SCHEME a := g r , b := g ry , c := g r(x+Mxy) a := g r , b’ := g ry’ , c’ := g r(x’+M’x’y’) Aggregate A:= a , B := bb’= g r(y+y’) , C:=cc’ Verification: Π e(X i ,A)e(X i ,B) M i = e(g,C) Π e(X i ,B) M i = e(X,B) M e(X’,B) M‘ = e(g,B) xM e(g,B) x’M‘ = e(g,A y+y’ ) xM+x’M‘ = e(g,g r ) xyM+x’y’M‘+xy’M+x’yM‘ Extend D := X y’M Y x’M‘ = g x’yM‘+xy’M ESORICS 2011 Dominique Schröder 15

  16. OUR SCHEME Structure of the aggregate A = g r , B = Π g ryi , C = Π g r(xi+Mixiyi) , D = Π i ≠ j g Mixiyj Key Generation X:=g x and Y:=g y Sequential Signing σ =(A,B,C,D) a:= A , b := BA y , c = CA x+Mxy , d = D Π i X jxMj Y xM pick r’: A := a r’ ; B := b r‘ ; C := c r’ ; D := d ESORICS 2011 Dominique Schröder 16

  17. OUR SCHEME CL Vf: e(a,Y) = e(g,b) , e(X,a) * e(X,b) M =e(g,c) Verification: e(A, Π i Y i ) = e(g,B) Π i e(X i ,Y j ) Mi =e(g,D) Π i (e(X i ,A) e(X i ,B) Mi ) = e(g,C) e(A,D) -1 ESORICS 2011 Dominique Schröder 17

  18. OPEN PROBLEMS Non-sequential aggregate signature in the standard model Scheme with short keys based on a non-interactive assumption Construction secure outside the KOSK Construction with short keys outside the KOSK ESORICS 2011 Dominique Schröder 18

  19. THANKS! QUESTIONS? ESORICS 2011 Dominique Schröder 19

Recommend


More recommend