lattice based signature scheme with verifier local
play

Lattice-Based Signature Scheme with Verifier Local Revocation - PowerPoint PPT Presentation

May 28, 2023 •27 likes •257 views

Lattice-Based Signature Scheme with Verifier Local Revocation Adeline Langlois 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 1 LIP, ENS de Lyon, France 2 Nanyang Technological University, Singapore March 27, 2014 PKC 2014 Group Signature with VLR

  1. Lattice-Based Signature Scheme with Verifier Local Revocation Adeline Langlois 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 1 LIP, ENS de Lyon, France 2 Nanyang Technological University, Singapore March 27, 2014 PKC 2014 Group Signature with VLR March 27, 2014 1/ 15

  2. Our main result with N members First lattice-based group signature with verifier-local revocation, logarithmic signature size, and security under the SIS assumption in the Random Oracle Model. logarithmic in N hard problem on lattices PKC 2014 Group Signature with VLR March 27, 2014 2/ 15

  3. Group signatures [ChaumVanHeyst91] Group signatures allow any member of a group to anonymously and accountably sign on behalf of this group. ◮ Group manager gpk , gsk i KeyGen, Open ◮ Group members ( gsk i ) Sign ◮ Anyone Verify KeyGen Open Security: • Anonymity Sign • Traceability Group Members Group Manager Verify Anyone PKC 2014 Group Signature with VLR March 27, 2014 3/ 15

  4. Group signatures with verifier-local revocation [ChaumVanHeyst91] [BonehShacham04] Group signatures allow any member of a group to anonymously and accountably sign on behalf of this group. ◮ Group manager gpk , gsk i , grt i KeyGen ◮ Group members ( gsk i ) Sign ◮ Anyone Verify KeyGen Security: • Anonymity Sign Revocated • Traceability Group Member d Group RL Manager Verify fails if grt d ∈ RL Anyone PKC 2014 Group Signature with VLR March 27, 2014 3/ 15

  5. Security: anonymity and traceability Security requirements [BonehShacham04] ◮ Correctness ∀ ( gpk , gsk , grt ) ← KeyGen , ∀ i ∈ [ N − 1] , ∀ M ∈ { 0 , 1 } ∗ , Verify ( gpk , RL, Sign ( gpk , gsk i , M ) , M ) = Valid ⇔ grt i �∈ RL. ◮ Selfless-anonymity A given signature does not leak the identity of its originator. Given gpk and Sign , Corruption and Revocation queries, Goal find which of the two adaptively chosen keys generates the signature. ◮ Traceability No collusion of malicious users can produce a valid signature that cannot be traced to one of them. Given gpk , grt i for all i , and gsk i of users in the collusion, Goal create a valid signature that doesn’t trace to someone in the collusion (or that fails). PKC 2014 Group Signature with VLR March 27, 2014 4/ 15

  6. Applications Need for authenticity and anonymity ◮ Anonymous credentials: anonymous use of certified attributes ◮ E.g.: student card - name, picture, date, grade... ◮ Traffic management (Vehicle Safety Communications project of the U.S. Dept. of Transportation). ◮ Restrictive area access. PKC 2014 Group Signature with VLR March 27, 2014 5/ 15

  7. Prior works ◮ Group signature introduced by [ChaumVanHest91] , ◮ Group signature with verifier local revocation introduced by [Brickell03] and [KiayiasTsiounisYung04] , ◮ Formalized by [BonehShacham04] , ◮ Number of realizations in bilinear map setting : [NakanishiFunabiki05 and 06] , [LibertVergnaud09] , [BichselCamenishNevenSmartWarinschi10] . In lattice-based cryptography: ◮ First one [GordonKatzVaikuntanathan10] , then with signature size linear in N : [CamenischNevenRückert12] . ◮ Signature size logarithmic in N (and full-anonymity): [LaguillaumieLangloisLibertStehlé13] . ◮ Our result: first lattice-based group signature with verifier-local revocation (and we have signature size logarithmic in N ). PKC 2014 Group Signature with VLR March 27, 2014 6/ 15

  8. Lattice-based cryptography From basic to very advanced primitives ◮ Public key encryption [Regev05, ...] , ◮ Lyubashevsky signature scheme [Lyubashevsky12] , ◮ Identity-based encryption [GentryPeikertVaikuntanathan08, ...] , ◮ Attribute-based encryption [Boyen13, GorbunovVaikuntanathanWee13] , ◮ Fully homomorphic encryption [Gentry09, ...] . Advantages of lattice-based primitives ◮ (Asymptotically) efficient, ◮ Security proofs from the hardness of LWE and SIS , ◮ Likely to resist quantum attacks. PKC 2014 Group Signature with VLR March 27, 2014 7/ 15

  9. SIS β and ISIS β Parameters: n dimension, m ≥ n , q modulus. For A ← U ( Z m × n ) : q Short Integer Solution Inhomogeneous SIS x x A A = 0 mod q = u mod q Goal: Given A ← U ( Z m × n Goal: Given A ← U ( Z m × n ) , u ∈ Z n ) , q , q q find x s.t. 0 < � x � ≤ β . find x s.t. 0 < � x � ≤ β . Shown to be as hard as worst-case lattice problems, [GentryPeikertVaikuntanathan2008] PKC 2014 Group Signature with VLR March 27, 2014 8/ 15

  10. Lattice-based cryptography toolbox: trapdoors ◮ TrapGen � ( A , T A ) such that T A is a short basis of the lattice q ( A ) = { x ∈ Z m : x T · A = 0 Λ ⊥ (mod q ) } . � A public description of the lattice T A short basis, kept secret ◮ Note that: 1. Computing T A given A is hard, 2. Constructing A together with T A is easy. ◮ With T A , we can sample short vectors in Λ ⊥ q ( A ) . PKC 2014 Group Signature with VLR March 27, 2014 9/ 15

  11. Our construction Ingredients ◮ Certificate of users � key to produce temporary certificate, ◮ Bonsai Tree signature [CashHofheinzKiltzPeikert12] , ◮ ZKPoK using "Stern Extension" adapted from [LingNguyenStehléWang13] . Our scheme ◮ The member uses an interactive protocol to convince the verifier that he is a certified group member and he has not been revoked, ◮ Repeated many times to make the soundness error negligibly small. ◮ Convert this protocol to a signature scheme via Fiat Shamir. PKC 2014 Group Signature with VLR March 27, 2014 10/ 15

  12. Generation of the keys N = 2 ℓ group members KeyGen ◮ Run TrapGen to get A 0 together with a trapdoor T A 0 , ◮ Sample u uniform in Z n q , ◮ Sample 2 ℓ public matrices ( A ( b ) i ) ’s for b ∈ { 0 , 1 } , then define A and for each d ∈ [ N − 1] : A d (as in a Bonsai signature),   A 0 A (0)     A 0 1   A (1)   A ( d 1 )   1   ∈ Z ( ℓ +1) m × n  ∈ Z ( ℓ +1) m × n  1  A = , and A d = . .   . q   q . . .   .    A ( d ℓ )   A (0)   ℓ ℓ A (1) ℓ PKC 2014 Group Signature with VLR March 27, 2014 11/ 15

  13. Generation of the keys N = 2 ℓ group members KeyGen ◮ Run TrapGen to get A 0 together with a trapdoor T A 0 , ◮ Sample u uniform in Z n q , ◮ Sample 2 ℓ public matrices ( A ( b ) i ) ’s for b ∈ { 0 , 1 } , then define A and for each d ∈ [ N − 1] : A d (as in a Bonsai signature), ◮ For each d , sample a small x d gaussian (using T A 0 ), such that ( x d ) T A d = u T mod q ,   A 0 A ( d 1 )   � �  = u T mod q ( x ( d )  1  0 ) T ( x d 1 1 ) T ( x d ℓ ℓ ) T . . .   . . .  A ( d ℓ ) ℓ PKC 2014 Group Signature with VLR March 27, 2014 11/ 15

  14. Generation of the keys N = 2 ℓ group members KeyGen ◮ Run TrapGen to get A 0 together with a trapdoor T A 0 , ◮ Sample u uniform in Z n q , ◮ Sample 2 ℓ public matrices ( A ( b ) i ) ’s for b ∈ { 0 , 1 } , then define A and for each d ∈ [ N − 1] : A d (as in a Bonsai signature), ◮ For each d , sample a small x d gaussian (using T A 0 ), such that ( x d ) T A d = u T mod q , ◮ Public key: gpk = ( A , u ) , ◮ Secret key for each d : gsk d = x ( d ) such that x ( d ) A d = u T mod q , � � x ( d ) = ( x ( d ) ( x d 1 ( x d ℓ 0 ) T 1 ) T ℓ ) T . . . . ◮ Revocation token for each d : grt d = ( x ( d ) 0 ) T A 0 . PKC 2014 Group Signature with VLR March 27, 2014 11/ 15

  15. Sign ◮ To sign a message, the user must hide d ◮ ⇒ he cannot convince a verifier that he knows x ( d ) with ( x ( d ) ) T A d = u T mod q if the verifier does not know A d . PKC 2014 Group Signature with VLR March 27, 2014 12/ 15

  16. Sign ◮ To sign a message, the user must hide d ◮ ⇒ he cannot convince a verifier that he knows x ( d ) with ( x ( d ) ) T A d = u T mod q if the verifier does not know A d . ◮ Solution: prove that he knows x such that x T A = u T mod q , and that for every two consecutive blocks of x ( d ) , one is a zero block. PKC 2014 Group Signature with VLR March 27, 2014 12/ 15

  17. Sign ◮ To sign a message, the user must hide d ◮ ⇒ he cannot convince a verifier that he knows x ( d ) with ( x ( d ) ) T A d = u T mod q if the verifier does not know A d . ◮ Solution: prove that he knows x such that x T A = u T mod q , and that for every two consecutive blocks of x ( d ) , one is a zero block. � � ◮ Recall that x ( d ) = ( x ( d ) ( x d 1 ( x d ℓ 0 ) T 1 ) T ℓ ) T , . . . Construct x : � � ( x ( d ) ( x d 1 0 ) T 1 ) T 0 . . . � �� � if d 1 =0 PKC 2014 Group Signature with VLR March 27, 2014 12/ 15

  18. Sign ◮ To sign a message, the user must hide d ◮ ⇒ he cannot convince a verifier that he knows x ( d ) with ( x ( d ) ) T A d = u T mod q if the verifier does not know A d . ◮ Solution: prove that he knows x such that x T A = u T mod q , and that for every two consecutive blocks of x ( d ) , one is a zero block. � � ◮ Recall that x ( d ) = ( x ( d ) ( x d 1 ( x d ℓ 0 ) T 1 ) T ℓ ) T , . . . Construct x : � � ( x ( d ) ( x d 1 0 ) T 1 ) T 0 . . . � �� � if d 1 =1 PKC 2014 Group Signature with VLR March 27, 2014 12/ 15

Recommend

Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software

Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software

The signature The countermeasure and its proof Performances Future work Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software Institute) Sonia Belad (CryptoExperts) Thomas Espitau (UPMC) Pierre-Alain

1.04k views • 51 slides
Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El

Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El

Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El Bansarkhani, Johannes Buchmann Technische Universit at Darmstadt TU Darmstadt August 2013 Rachid El Bansarkhani Lattice-based Signatures1 Outline

633 views • 44 slides
CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme L eo Ducas (CWI), Eike Kiltz

CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme L eo Ducas (CWI), Eike Kiltz

CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme L eo Ducas (CWI), Eike Kiltz (Ruhr-Universit at Bochum), Tancr` ede Lepoint (SRI International), Vadim Lyubashevsky (IBM Research), Peter Schwabe (Radboud University), Gregor

1.06k views • 36 slides
Designated Verifier Signature Schemes - An Overview Liina Kamm October 10, 2005 Structure

Designated Verifier Signature Schemes - An Overview Liina Kamm October 10, 2005 Structure

Designated Verifier Signature Schemes - An Overview Liina Kamm October 10, 2005 Structure The Jakobsson-Sako-Impagliazzo Scheme Security notions for DVS schemes DVS Scheme with tight reduction to DDH in NPRO Universal Designated

620 views • 42 slides
A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for IT-Security Africacrypt 2010 1 / 13 RSA-Based Signature Schemes Na ve RSA signature scheme not secure under the standard definition of

647 views • 51 slides
Learning Strikes Again: the Case of the DRS Signature Scheme Yang Yu 1 eo Ducas 2 L 1 Tsinghua

Learning Strikes Again: the Case of the DRS Signature Scheme Yang Yu 1 eo Ducas 2 L 1 Tsinghua

Learning Strikes Again: the Case of the DRS Signature Scheme Yang Yu 1 eo Ducas 2 L 1 Tsinghua University 2 Centrum Wiskunde &amp; Informatica January 2019, London 1 / 42 This is a cryptanalysis work... Target: DRS a NIST lattice-based

1.32k views • 108 slides
Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li QUT Asiacrypt16 2016-12-06 1 / 19 Motivations 1. Short lattice signature with tight security reduction w/o ROs. Techniques Short Sig? Tight

712 views • 47 slides
Oblivious Signature-Based Envelope scheme (OSBE) Presented By: Khaled Rabieh Supervisor: Dr.

Oblivious Signature-Based Envelope scheme (OSBE) Presented By: Khaled Rabieh Supervisor: Dr.

Oblivious Signature-Based Envelope scheme (OSBE) Presented By: Khaled Rabieh Supervisor: Dr. Mohamed Mahmoud Outline - What is Oblivious Signature-Based Envelope (OSBE)? - Applications - cryptosystem - Analysis 2 Problem Formulation -

339 views • 14 slides
DRS Diagonal dominant Reduction for lattice-based Signature Thomas PLANTARD, Arnaud SIPASSEUTH,

DRS Diagonal dominant Reduction for lattice-based Signature Thomas PLANTARD, Arnaud SIPASSEUTH,

DRS Diagonal dominant Reduction for lattice-based Signature Thomas PLANTARD, Arnaud SIPASSEUTH, Cedric DUMONDELLE, Willy SUSILO Institute of Cybersecurity and Cryptology University of Wollongong http://www.uow.edu.au/ thomaspl

458 views • 22 slides
Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital

Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital

Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital Signatures The hash and sign paradigm m c slide 1/18 . Any public key encryption can be turned into a signature. Digital Signatures The hash and

759 views • 28 slides
How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz Nicolas Sendrier ASIACRYPT 2001 Brisbane McEliece in a nutshell (Niederreiter version) This scheme is equivalent to the original McEliece

432 views • 12 slides
Lattice-Based Group Signatures with Logarithmic Signature Size Fabien Laguillaumie 1 Adeline

Lattice-Based Group Signatures with Logarithmic Signature Size Fabien Laguillaumie 1 Adeline

Lattice-Based Group Signatures with Logarithmic Signature Size Fabien Laguillaumie 1 Adeline Langlois 2 Benot Libert 3 Damien Stehl 2 1 LIP, Universit Lyon 1 2 LIP, ENS de Lyon 3 Technicolor December 4, 2013 Laguillaumie et al. LB Group

239 views • 20 slides
Practical Attacks on the Walnut Signature Scheme Ward Beullens Simon R. Blackburn KU Leuven

Practical Attacks on the Walnut Signature Scheme Ward Beullens Simon R. Blackburn KU Leuven

Practical Attacks on the Walnut Signature Scheme Ward Beullens Simon R. Blackburn KU Leuven Royal Holloway December 2, 2018 Introduction 1/22 WalnutDSA is a Signature Scheme submitted to the NIST PQC project. Small signatures and keys

643 views • 27 slides
Outline ElGamal Signature Scheme 1 CPSC 418/MATH 318 Introduction to Cryptography El Gamal

Outline ElGamal Signature Scheme 1 CPSC 418/MATH 318 Introduction to Cryptography El Gamal

Outline ElGamal Signature Scheme 1 CPSC 418/MATH 318 Introduction to Cryptography El Gamal Signature Scheme, Cryptography in Practice: Random Number Odds and Ends on Public Key Crypto 2 Generation, Key Management Cryptography in Real Life 3

367 views • 14 slides
Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse) Detection Intrusion Detection Host-based Network-based Boriana Ditcheva and Lisa Fowler Active/Passive University of North Carolina at

401 views • 12 slides
Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is publicly verifiable Unforgeable 2 A Digital Signature Scheme Key generation algorithm G (probabilistic) ( pk, sk ) G (1 ) security

602 views • 22 slides
New variant of the UOV signa- ture scheme with smaller public keys Ward Beullens KULeuven -

New variant of the UOV signa- ture scheme with smaller public keys Ward Beullens KULeuven -

New variant of the UOV signa- ture scheme with smaller public keys Ward Beullens KULeuven - ESAT 26 June 2017 The UOV signature scheme 2/6 The Unbalanced Oil and Vinegar (UOV) signature scheme has withstood attacks since its formulation in

476 views • 6 slides
Digital Signatures Model A public key analog of MAC A digital signature scheme includes

Digital Signatures Model A public key analog of MAC A digital signature scheme includes

Digital Signatures Model A public key analog of MAC A digital signature scheme includes the following elements: A private key k A public key k A signature algorithm Public key is published Signature requires

475 views • 24 slides
Week 07 Lectures Signature-based Selection Indexing with Signatures 2/103 Signature-based

Week 07 Lectures Signature-based Selection Indexing with Signatures 2/103 Signature-based

Week 07 Lectures Signature-based Selection Indexing with Signatures 2/103 Signature-based indexing: designed for pmr queries (conjunction of equalities) does not try to achieve better than O(n) performance attempts to provide an

859 views • 27 slides
(ORS) and SCHOOL HIGH HEALTH NEEDS FUND (SHHNF) Mary Smith Remote Verifier/Specialist Service

(ORS) and SCHOOL HIGH HEALTH NEEDS FUND (SHHNF) Mary Smith Remote Verifier/Specialist Service

ONGOING RESOURCING SCHEME (ORS) and SCHOOL HIGH HEALTH NEEDS FUND (SHHNF) Mary Smith Remote Verifier/Specialist Service Standards Review Coordinator ORS Purpose of the Scheme Two levels of verification Focus on need for specialist

579 views • 23 slides
LOCAL ORGANISATIONS GET INVOLVED IN THE KICKSTART SCHEME 2 What is the Kickstart Scheme? The

LOCAL ORGANISATIONS GET INVOLVED IN THE KICKSTART SCHEME 2 What is the Kickstart Scheme? The

HOW TO HELP LOCAL ORGANISATIONS GET INVOLVED IN THE KICKSTART SCHEME 2 What is the Kickstart Scheme? The Kickstart Scheme helps young people at risk of long term unemployment get into the job market by providing government funding for

429 views • 13 slides
Hash-based Signatures IETF/IRTF CFRG Draft on XMSS Fraunhofer Workshop Series 01 Post-Quantum

Hash-based Signatures IETF/IRTF CFRG Draft on XMSS Fraunhofer Workshop Series 01 Post-Quantum

Hash-based Signatures IETF/IRTF CFRG Draft on XMSS Fraunhofer Workshop Series 01 Post-Quantum Cryptography in Practice Speaker: Dr. Bernhard Jungk 1 eXtended Merkle Signature Scheme 2 eXtended Merkle Signature Scheme Why should we look

949 views • 39 slides
HOW TO AGGREGATE THE CL SIGNATURE SCHEME Dominique Schroeder* University of Maryland, USA

HOW TO AGGREGATE THE CL SIGNATURE SCHEME Dominique Schroeder* University of Maryland, USA

HOW TO AGGREGATE THE CL SIGNATURE SCHEME Dominique Schroeder* University of Maryland, USA *Partly supported by a DAAD postdoctoral fellowship AGGREGATE SIGNATURES (Boneh, Gentry, Lynn, and Shacham) sk 1 , m 1 sk i , m i sk n , m n . . . . .

214 views • 19 slides
Learning Strikes Again: the Case of the DRS Signature Scheme Yang Yu 1 eo Ducas 2 L 1 Tsinghua

Learning Strikes Again: the Case of the DRS Signature Scheme Yang Yu 1 eo Ducas 2 L 1 Tsinghua

Learning Strikes Again: the Case of the DRS Signature Scheme Yang Yu 1 eo Ducas 2 L 1 Tsinghua University 2 Centrum Wiskunde &amp; Informatica Asiacrypt 2018 Brisbane, Australia 1 / 27 This is a cryptanalysis work... Target: DRS a NIST

807 views • 56 slides

More recommend