multi key homomorphic signatures unforgeable under
play

Multi-Key Homomorphic Signatures Unforgeable under Insider - PowerPoint PPT Presentation

Dec 03, 2022 •28 likes •618 views

Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption Russell W. F. Lai 1,2 , Raymond K. H. Tai 2 , Harry W. H. Wong 2 , Sherman S. M. Chow 2 1 Friedrich-Alexander University Erlangen-Nuremberg 2 Chinese University of Hong Kong

  1. Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption Russell W. F. Lai 1,2 , Raymond K. H. Tai 2 , Harry W. H. Wong 2 , Sherman S. M. Chow 2 1 Friedrich-Alexander University Erlangen-Nuremberg 2 Chinese University of Hong Kong

  2. Useful multi-key homomorphic signatures likely require strong assumptions. Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption Russell W. F . Lai 1/16

  3. Overview We introduce a strong but natural unforgeability notion of (multi-key) homomorphic signatures. Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption Russell W. F . Lai 2/16

  4. Overview We introduce a strong but natural unforgeability notion of (multi-key) homomorphic signatures. The property is essential for natural applications, e.g., verifiable MPC. Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption Russell W. F . Lai 2/16

  5. Overview We introduce a strong but natural unforgeability notion of (multi-key) homomorphic signatures. The property is essential for natural applications, e.g., verifiable MPC. We draw connections of the notion to zk-SNARG/Ks. Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption Russell W. F . Lai 2/16

  6. Homomorphic Signatures I signed m . σ A Alice Evaluator Verifier m

  7. Homomorphic Signatures You can evaluate any function on it. σ A Alice Evaluator Verifier m

  8. Homomorphic Signatures Let’s do f ( m ) . σ A Alice Evaluator Verifier f ( m ) , f

  9. Homomorphic Signatures Looks legit. σ A Alice Evaluator Verifier f ( m ) , f Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption Russell W. F . Lai 3/16

  10. Unforgeability of Homomorphic Signatures I signed m . σ A Adversary Alice Verifier m

  11. Unforgeability of Homomorphic Signatures You can evaluate any function on it. σ A Adversary Alice Verifier m

  12. Unforgeability of Homomorphic Signatures Let’s pretend m ∗ = f ( m ) . σ A Adversary Alice Verifier m ∗ , f

  13. Unforgeability of Homomorphic Signatures Smells fishy. σ A Adversary Alice Verifier m ∗ , f Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption Russell W. F . Lai 4/16

  14. Multi-key Homomorphic Signatures [FMNP, Asiacrypt16] I signed m A . σ A Alice m A I signed m B . Evaluator Verifier σ B Bob m B

  15. Multi-key Homomorphic Signatures [FMNP, Asiacrypt16] You can evaluate any function on them. Alice Evaluator Verifier σ A m A , σ B m B Bob

  16. Multi-key Homomorphic Signatures [FMNP, Asiacrypt16] Let’s do f ( m A , m B ) . Alice A , B Evaluator σ Verifier f ( m A , m B ) , f Bob

  17. Multi-key Homomorphic Signatures [FMNP, Asiacrypt16] Looks legit. Alice A , B Evaluator σ Verifier f ( m A , m B ) , f Bob Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption Russell W. F . Lai 5/16

  18. Unforgeability of Multi-key Homomorphic Signatures [FMNP, Asiacrypt16] I signed m A . σ A Alice m A I signed m B . Adversary Verifier σ B Bob m B

  19. Unforgeability of Multi-key Homomorphic Signatures [FMNP, Asiacrypt16] You can evaluate any function on them. Alice Adversary Verifier σ A m A , σ B m B Bob

  20. Unforgeability of Multi-key Homomorphic Signatures [FMNP, Asiacrypt16] Let’s pretend m ∗ = f ( m A , m B ) . Alice A , B Adversary σ Verifier m ∗ , f Bob

  21. Unforgeability of Multi-key Homomorphic Signatures [FMNP, Asiacrypt16] Smells fishy. Alice A , B Adversary σ Verifier m ∗ , f Bob Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption Russell W. F . Lai 6/16

  22. Insider Attack? I signed m A . σ A Alice m A Here is my secret key sk B . Adversary Verifier Bob

  23. Insider Attack? You can evaluate any function on them. σ A m A Alice Let’s mess with Alice. Adversary Verifier Bob

  24. Insider Attack? Let’s pretend m ∗ = f ( m A , m B ) . Alice A , B Adversary Verifier σ m ∗ , f Bob

  25. Insider Attack? Sounds...... legit? Alice A , B Adversary Verifier σ m ∗ , f Bob Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption Russell W. F . Lai 7/16

  26. Unforgeability of (Multi-Key) Homomorphic Signatures under Insider Corruption • A can query sign oracle on ( id , m ) , which does the following: • Generate ( pk id , sk id ) and record id as honest if not done already. • Sign m using sk id as σ id m and record m in the set M id . • Return ( pk id , σ id m ) . Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption Russell W. F . Lai 8/16

  27. Unforgeability of (Multi-Key) Homomorphic Signatures under Insider Corruption • A can query sign oracle on ( id , m ) , which does the following: • Generate ( pk id , sk id ) and record id as honest if not done already. • Sign m using sk id as σ id m and record m in the set M id . • Return ( pk id , σ id m ) . • A produces ( f ∗ , { pk ∗ id 1 ,..., pk ∗ id k } , m ∗ , σ ∗ ) . Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption Russell W. F . Lai 8/16

  28. Unforgeability of (Multi-Key) Homomorphic Signatures under Insider Corruption • A can query sign oracle on ( id , m ) , which does the following: • Generate ( pk id , sk id ) and record id as honest if not done already. • Sign m using sk id as σ id m and record m in the set M id . • Return ( pk id , σ id m ) . • A produces ( f ∗ , { pk ∗ id 1 ,..., pk ∗ id k } , m ∗ , σ ∗ ) . • A wins if the following hold: • Vf ( f ∗ , { pk ∗ id 1 ,..., pk ∗ id k } , m ∗ , σ ∗ ) = 1. • If id is honest, then pk ∗ id = pk id . • m ∗ is not in the range of f ∗ , when the inputs of honest id are restricted to those recorded in M id , � � � m i ∈ M id i is malicious i.e. , m ∗ / f ∗ ( m 1 ,..., m k ) : ∈ m i ∈ M id i id i is honest Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption Russell W. F . Lai 8/16

  29. Unforgeability of (Multi-Key) Homomorphic Signatures under Insider Corruption • A can query sign oracle on ( id , m ) , which does the following: • Generate ( pk id , sk id ) and record id as honest if not done already. • Sign m using sk id as σ id m and record m in the set M id . • Return ( pk id , σ id m ) . • A produces ( f ∗ , { pk ∗ id 1 ,..., pk ∗ id k } , m ∗ , σ ∗ ) . • A wins if the following hold: • Vf ( f ∗ , { pk ∗ id 1 ,..., pk ∗ id k } , m ∗ , σ ∗ ) = 1. • If id is honest, then pk ∗ id = pk id . • m ∗ is not in the range of f ∗ , when the inputs of honest id are restricted to those recorded in M id , � � � m i ∈ M id i is malicious i.e. , m ∗ / f ∗ ( m 1 ,..., m k ) : ∈ m i ∈ M id i id i is honest Remark • The definition still makes sense even with one key, i.e. , k = 1. • It means that even the signer cannot produce σ m , f for m not in the range of f . Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption Russell W. F . Lai 8/16

  30. Why is the notion meaningful? Example 1: Number of keys k > 1 • f ∗ ( m 1 ,..., m k ) = MAJORITY ( m 1 ,..., m k ) • id k malicious • id i honest, M id i = { NO } , for all i = 1 ,..., k − 1 id k } , m ∗ = YES , σ ∗ ) • Infeasible to forge ( MAJORITY , { pk ∗ id 1 ,..., pk ∗ Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption Russell W. F . Lai 9/16

  31. Why is the notion meaningful? Example 1: Number of keys k > 1 • f ∗ ( m 1 ,..., m k ) = MAJORITY ( m 1 ,..., m k ) • id k malicious • id i honest, M id i = { NO } , for all i = 1 ,..., k − 1 id k } , m ∗ = YES , σ ∗ ) • Infeasible to forge ( MAJORITY , { pk ∗ id 1 ,..., pk ∗ Example 2: Number of keys k = 1 • C : Unsatisfiable Boolean circuit • f ∗ ( m ) = C ( m ) • Infeasible to forge ( C , pk , m ∗ = 1 , σ ∗ ) Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption Russell W. F . Lai 9/16

  32. Other Properties of (Multi-key) Homomorphic Signatures (Weakly) Context-Hiding σ f ( m ) , f reveals nothing about m . Succinctness Size of σ f ( m ) , f is independent of the size of m and f . Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption Russell W. F . Lai 10/16

  33. Preliminary: zk-(O-)SNARG/Ks Argument systems which allow a prover to prove to the verifier: There exists a witness w such that the relation R ( x , w ) = 1 holds for the statement x. zero-knowledge : Proofs reveal nothing about witnesses. Oracle : Sound even if the prover has access to certain ( e.g. , signing) oracles. Succinct : Proof size is independent of witness size. Non-Interactive : The prover only sends 1 message to the verifier. ARGguments : The system is computationally sound. ARguments of Knowledge : There exists an extractor which extracts witnesses from provers. Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption Russell W. F . Lai 11/16

  34. Roadmap • zk-(O-)SNARKs + Signatures = ⇒ Insider Unforgeable Multi-key Homomorphic Signatures. Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption Russell W. F . Lai 12/16

  35. Roadmap • zk-(O-)SNARKs + Signatures = ⇒ Insider Unforgeable Multi-key Homomorphic Signatures. • 1-key 1-hop Insider Unforgeable Homomorphic Signatures = ⇒ zk-SNARGs Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption Russell W. F . Lai 12/16

Recommend

Generic Homomorphic Undeniable Signatures J. Monnerat S. Vaudenay COLE POLYTECHNIQUE

Generic Homomorphic Undeniable Signatures J. Monnerat S. Vaudenay COLE POLYTECHNIQUE

Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Generic Homomorphic Undeniable Signatures J. Monnerat S. Vaudenay COLE POLYTECHNIQUE FDRALE DE LAUSANNE Asiacrypt 04 - December 8, 2004 J. Monnerat,

321 views • 31 slides
Linearly-Homomorphic Signatures and Scalable Mix-Nets Chlo Hbant, Duong Hieu Phan and David

Linearly-Homomorphic Signatures and Scalable Mix-Nets Chlo Hbant, Duong Hieu Phan and David

Linearly-Homomorphic Signatures and Scalable Mix-Nets Chlo Hbant, Duong Hieu Phan and David Pointcheval Outline 1. Mix-Nets in drawings 2. Building blocks 3. Spirit of our scheme 4. Difficulties 2 Mix-Net 3 Mix-Net 3 Mix-Net 3

600 views • 44 slides
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it is a part of the document) 4. Signed document is unalterable. 5. Signature cannot be

478 views • 24 slides
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it is a part of the document) 4. Signed document is unalterable. 5. Signature cannot be

244 views • 21 slides
On the Security of Two-Round Multi-Signatures Manu Drijvers 1 , Kasra Edalatnejad 2 , Bryan Ford 2

On the Security of Two-Round Multi-Signatures Manu Drijvers 1 , Kasra Edalatnejad 2 , Bryan Ford 2

On the Security of Two-Round Multi-Signatures Manu Drijvers 1 , Kasra Edalatnejad 2 , Bryan Ford 2 , Eike Kiltz 3 , Julian Loss 3 , Gregory Neven 1 , Igors Stepanovs 4 1 DFINITY, 2 EPFL , 3 Ruhr-University Bochum, 4 UCSD Multi-signatures (pk 1 ,sk

635 views • 27 slides
Homomorphic Encryption Lecture 18 And some applications Homomorphic Encryption Homomorphic

Homomorphic Encryption Lecture 18 And some applications Homomorphic Encryption Homomorphic

Homomorphic Encryption Lecture 18 And some applications Homomorphic Encryption Homomorphic Encryption Group Homomorphism: Two groups G and G are homomorphic if there exists a function (homomorphism) f:G G such that for all x,y G,

1.79k views • 165 slides
Homomorphic Secret Sharing Ele2e Boyle Niv Gilboa Yuval Ishai IDC BGU

Homomorphic Secret Sharing Ele2e Boyle Niv Gilboa Yuval Ishai IDC BGU

Homomorphic Secret Sharing Ele2e Boyle Niv Gilboa Yuval Ishai IDC BGU Technion & UCLA PrimiLves AssumpLons 1970 PKE 1980 Signatures ZK OT Factoring Discrete Log 1990 Secure ComputaLon 2000

1.12k views • 64 slides
Multi-Signatures for Blockchains Yannick Seurin Agence nationale de la scurit des systmes

Multi-Signatures for Blockchains Yannick Seurin Agence nationale de la scurit des systmes

Multi-Signatures for Blockchains Yannick Seurin Agence nationale de la scurit des systmes dinformation June 12, 2019 LINCS Blockchain Day Y. Seurin (ANSSI) Multi-Signatures for Blockchains 12/06/2019 1 / 17 Uses of cryptography

921 views • 68 slides
Building Applications with Homomorphic Encryption A Presentation from the Homomorphic Encryption

Building Applications with Homomorphic Encryption A Presentation from the Homomorphic Encryption

Building Applications with Homomorphic Encryption A Presentation from the Homomorphic Encryption Standardization Consortium HomomorphicEncryption.org 0.1 Presenters Roger A. Hallman (SPAWAR Systems Center Pacific; Thayer School of

1.36k views • 91 slides
Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties Signatures Signatures with various functionality/properties Constructions come in different flavors (well sample each flavor): Signatures

1.55k views • 131 slides
On the Multi-User Security of Short Schnorr Signatures Jeremiah Blocki and Seunghoon Lee

On the Multi-User Security of Short Schnorr Signatures Jeremiah Blocki and Seunghoon Lee

On the Multi-User Security of Short Schnorr Signatures Jeremiah Blocki and Seunghoon Lee Department of Computer Science, Purdue University October 10, 2019 Jeremiah Blocki and Seunghoon Lee On the Multi-User Security of Short Schnorr Signatures

1.23k views • 86 slides
Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And Putting It All Together Lecture 12 Digital Signatures Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s,

1.72k views • 142 slides
Homomorphic Secret Sharing II Homomorphic Secret Sharing for Branching Programs Under DDH Ele:e

Homomorphic Secret Sharing II Homomorphic Secret Sharing for Branching Programs Under DDH Ele:e

Homomorphic Secret Sharing II Homomorphic Secret Sharing for Branching Programs Under DDH Ele:e Boyle Niv Gilboa Yuval Ishai IDC BGU Technion & UCLA Secure ComputaGon Approaches Classical

342 views • 33 slides
Homomorphic SIM 2 D operations: Single Instruction Much More Data Wouter Castryck Ilia

Homomorphic SIM 2 D operations: Single Instruction Much More Data Wouter Castryck Ilia

Homomorphic SIM 2 D operations: Single Instruction Much More Data Wouter Castryck Ilia Iliashenko Frederik Vercauteren Homomorphic encryption cryp 175.2 {#*| Homomorphic encoding real-world data plaintext ciphertext

512 views • 40 slides
Homomorphic Secret Sharing & Applications from Lattice-Based Assumptions Elette Boyle Many

Homomorphic Secret Sharing & Applications from Lattice-Based Assumptions Elette Boyle Many

Homomorphic Secret Sharing & Applications from Lattice-Based Assumptions Elette Boyle Many slides taken/adapted from Geoffroy Couteau, Lisa Kohl, & Peter Scholl Fully Homomorphic Encryption (FHE) Supports homomorphic

791 views • 40 slides
Circuit-Private Multi-Key FHE Wutichai Chongchitmate Rafail Ostrovsky Abstract Multi-key

Circuit-Private Multi-Key FHE Wutichai Chongchitmate Rafail Ostrovsky Abstract Multi-key

Circuit-Private Multi-Key FHE Wutichai Chongchitmate Rafail Ostrovsky Abstract Multi-key fully homomorphic encryption (MFHE) schemes allow polynomially many users without trusted setup assumptions to send their data (encrypted under

654 views • 38 slides
Parameters for Homomorphic Encryption Kim Laine and Kristin Lauter University of California,

Parameters for Homomorphic Encryption Kim Laine and Kristin Lauter University of California,

Parameters for Homomorphic Encryption Kim Laine and Kristin Lauter University of California, Berkeley and Microsoft Research September 3, 2015 Homomorphic Encryption Homomorphic Encryption Consider a public key cryptosystem, and operations

777 views • 35 slides
Two-Round Multi-Signatures Manu Drijvers 1 , Kasra Edalatnejad 2 , Bryan Ford 2 , Eike Kiltz 3 ,

Two-Round Multi-Signatures Manu Drijvers 1 , Kasra Edalatnejad 2 , Bryan Ford 2 , Eike Kiltz 3 ,

On the Security of Two-Round Multi-Signatures Manu Drijvers 1 , Kasra Edalatnejad 2 , Bryan Ford 2 , Eike Kiltz 3 , Julian Loss 3 , Gregory Neven 1 , Igors Stepanovs 4 1 DFINITY, 2 EPFL , 3 Ruhr-University Bochum, 4 UCSD To appear at S&P 2019,

393 views • 27 slides
Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Motivation Research Question Results Conclusion Notes Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from Standard Signatures Siamak Shahandashti 1 Rei Safavi-Naini 2 1 SCSSE & CCISR, Uni

465 views • 46 slides
1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Digital Signatures have looked at message authentication but does not address issues of lack of trust Chapter 13 Digital Signatures digital signatures provide the ability to:

361 views • 3 slides
Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils Fleischhacker Johannes Krupp Giulio Malavolta Jonas Schneider Dominique Schr oder Mark Simkin March 7, 2016 Sanitizable Signatures

577 views • 46 slides
Time Signatures to detect multi-headed stealthy attack tools Marc Dacier (EURECOM) Guillaume

Time Signatures to detect multi-headed stealthy attack tools Marc Dacier (EURECOM) Guillaume

Time Signatures to detect multi-headed stealthy attack tools Marc Dacier (EURECOM) Guillaume Urvoy-Keller (EURECOM) Fabien Pouget (CERTA) Plan What we already have A world-wide project Large amount of data A classification

446 views • 40 slides
Genomic Analysis Hoon Cho (MIT) and David Wu (Stanford) March, 2015 Homomorphic Encryption

Genomic Analysis Hoon Cho (MIT) and David Wu (Stanford) March, 2015 Homomorphic Encryption

Homomorphic Encryption for Genomic Analysis Hoon Cho (MIT) and David Wu (Stanford) March, 2015 Homomorphic Encryption Homomorphic encryption (HE): encryption schemes that support computation on ciphertexts Consists of three functions: m c

548 views • 26 slides
Compact Multi-Signatures for Smaller Blockchains Dan Boneh 1 , Manu Drijvers 2 , Gregory Neven 2 1

Compact Multi-Signatures for Smaller Blockchains Dan Boneh 1 , Manu Drijvers 2 , Gregory Neven 2 1

Compact Multi-Signatures for Smaller Blockchains Dan Boneh 1 , Manu Drijvers 2 , Gregory Neven 2 1 Stanford University 2 DFINITY Bitcoin Blockchain and transactions Input 1 Output 1 Witness Input 2 Output 2 Witness Pointer to previous

372 views • 16 slides

More recommend