signature schemes with efficient protocols and dynamic
play

Signature Schemes with Efficient Protocols and Dynamic Group - PowerPoint PPT Presentation

Mar 18, 2024 •406 likes •1.33k views

Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions Benot Libert 1 , 2 San Ling 3 Fabrice Mouhartem 1 Khoa Nguyen 3 Huaxiong Wang 3 1 .N.S. de Lyon, France 2 CNRS, France 3 Nanyang Technological

  1. Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions Benoît Libert 1 , 2 San Ling 3 Fabrice Mouhartem 1 Khoa Nguyen 3 Huaxiong Wang 3 1 É.N.S. de Lyon, France 2 CNRS, France 3 Nanyang Technological University, Singapore Asiacrypt, Hanoi, 06/12/2016 Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 1/30

  2. Privacy-Preserving Cryptography Important Goal: Anonymous authentication. Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 2/30

  3. Privacy-Preserving Cryptography Important Goal: Anonymous authentication. e.g. e-voting, e-cash, group signatures, anonymous credentials. . . Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 2/30

  4. Privacy-Preserving Cryptography Important Goal: Anonymous authentication. e.g. e-voting, e-cash, group signatures, anonymous credentials. . . Ingredients ◮ A signature scheme ◮ Zero-knowledge (ZK) proofs Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 2/30

  5. Privacy-Preserving Cryptography Important Goal: Anonymous authentication. e.g. e-voting, e-cash, group signatures, anonymous credentials. . . Ingredients ◮ A signature scheme ◮ Zero-knowledge (ZK) proofs compatible with this signature (no hash functions) Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 2/30

  6. Privacy-Preserving Cryptography Important Goal: Anonymous authentication. e.g. e-voting, e-cash, group signatures , anonymous credentials. . . Ingredients ◮ A signature scheme ◮ Zero-knowledge (ZK) proofs compatible with this signature (no hash functions) Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 2/30

  7. Group Signatures A user wants to take public transportations. Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 3/30

  8. Group Signatures A user wants to take public transportations. timestamp Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 3/30

  9. Group Signatures A user wants to take public transportations. signature ◮ Authenticity & Integrity Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 3/30

  10. Group Signatures A user wants to take public transportations. signature ??? ◮ Authenticity & Integrity ◮ Anonymity Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 3/30

  11. Group Signatures A user wants to take public transportations. signature ??? ◮ Authenticity & Integrity ◮ Anonymity Join ◮ Dynamicity Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 3/30

  12. Group Signatures A user wants to take public transportations. signature ◮ Authenticity & Integrity ◮ Anonymity Join ◮ Dynamicity ◮ Traceability POLICE Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 3/30

  13. Motivation Dynamic group signatures In dynamic group signatures, new group members can be introduced at any time. The dynamic group setting: Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 4/30

  14. Motivation Dynamic group signatures In dynamic group signatures, new group members can be introduced at any time. The dynamic group setting: ◮ Add users without re-running the Setup phase; Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 4/30

  15. Motivation Dynamic group signatures In dynamic group signatures, new group members can be introduced at any time. The dynamic group setting: ◮ Add users without re-running the Setup phase; ◮ Even if everyone, including authorities, is dishonest, no one can sign in your name; Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 4/30

  16. Motivation Dynamic group signatures In dynamic group signatures, new group members can be introduced at any time. The dynamic group setting: ◮ Add users without re-running the Setup phase; ◮ Even if everyone, including authorities, is dishonest, no one can sign in your name; ◮ Most use cases require dynamic groups (e.g., anonymous access control in buildings). Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 4/30

  17. Anonymous Credentials (Chaum’85, Camenisch-Lysyanskya’01) Principle (e.g., U-Prove, Idemix) Involves Authority , Users and Verifiers . ◮ User dynamically obtains credentials from an authority under a pseudonym (= commitment to a digital identity) ◮ . . . and can dynamically prove possession of credentials using different ( unlinkable ) pseudonyms Different flavors : one-show/multi-show credentials, attribute-based access control,. . . Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 5/30

  18. Anonymous Credentials (Chaum’85, Camenisch-Lysyanskya’01) Principle (e.g., U-Prove, Idemix) Involves Authority , Users and Verifiers . ◮ User dynamically obtains credentials from an authority under a pseudonym (= commitment to a digital identity) ◮ . . . and can dynamically prove possession of credentials using different ( unlinkable ) pseudonyms Different flavors : one-show/multi-show credentials, attribute-based access control,. . . General construction from signature with efficient protocols: ◮ Authority gives a user a signature on a committed message; ◮ User proves that same secret underlies different pseudonyms; ◮ User proves that he possesses a message-signature pair. Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 5/30

  19. Signature with Efficient Protocols Signature Scheme with Efficient Protocols (Camenisch-Lysyanskya, SCN’02 ) Signer Verifier Sign Verify Message Message Signature Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 6/30

  20. Signature with Efficient Protocols Signature Scheme with Efficient Protocols (Camenisch-Lysyanskya, SCN’02 ) Signer Verifier Sign Verify Open Message Message Signature ◮ Protocol for signing committed messages Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 6/30

  21. Signature with Efficient Protocols Signature Scheme with Efficient Protocols (Camenisch-Lysyanskya, SCN’02 ) Signer Verifier Sign Verify Open Message Message Signature ZKPoK PoK ◮ Protocol for signing committed messages ◮ Proof of Knowledge (PoK) of (Message; Signature) Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 6/30

  22. Lattice-Based Cryptography Lattice A lattice is a discrete subgroup of R n . Can be seen as integer linear combinations of a finite set of vectors. �� � Λ( b 1 , . . . , b n ) = i ≤ n a i b i | a i ∈ Z Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 7/30

  23. Lattice-Based Cryptography Lattice A lattice is a discrete subgroup of R n . Can be seen as integer linear combinations of a finite set of vectors. �� � Λ( b 1 , . . . , b n ) = i ≤ n a i b i | a i ∈ Z Why? ◮ Simple and efficient; ◮ Still conjectured quantum-resistant; ◮ Connection between average-case and worst-case problems; ◮ Powerful functionalities (e.g., FHE). → Finding a non-zero short vector in a lattice is hard. Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 7/30

  24. Hardness Assumptions: SIS and LWE Parameters : n dimension, m ≥ n , q modulus. ֓ U ( Z m × n For A ← ) : q Small Integer Solution Learning With Errors x s + e , A A = 0 [ q ] A m n ֓ Z n s ← e small error q � � Goal: Given A ∈ Z m × n , find Goal: Given A , A s + e , q x ∈ Z m \{ 0 } small find s ∈ Z n q Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 8/30

  25. Group Signatures: History 1991 Chaum and van Heyst : introduction 2000 Ateniese, Camenisch, Joye and Tsudik : first scalable solution 2003 Bellare, Micciancio and Warinschi : model for static groups Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 9/30

  26. Group Signatures: History 1991 Chaum and van Heyst : introduction 2000 Ateniese, Camenisch, Joye and Tsudik : first scalable solution 2003 Bellare, Micciancio and Warinschi : model for static groups 2004 Kiayias and Yung : model for dynamic groups 2004 Bellare, Shi and Zhang : model for dynamic groups Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 9/30

  27. Group Signatures: History 1991 Chaum and van Heyst : introduction 2000 Ateniese, Camenisch, Joye and Tsudik : first scalable solution 2003 Bellare, Micciancio and Warinschi : model for static groups 2004 Kiayias and Yung : model for dynamic groups 2004 Bellare, Shi and Zhang : model for dynamic groups 2010 Gordon, Katz and Vaikuntanathan : first lattice -based scheme 2013 Laguillaumie, Langlois, Libert and Stehlé : log-size signatures from lattices Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 9/30

Recommend

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is publicly verifiable Unforgeable 2 A Digital Signature Scheme Key generation algorithm G (probabilistic) ( pk, sk ) G (1 ) security

602 views • 22 slides
Signature Schemes from La2ces Ananth Raghunathan Stanford

Signature Schemes from La2ces Ananth Raghunathan Stanford

Signature Schemes from La2ces Ananth Raghunathan Stanford University ISI Kolkata, Jan 2012 Short Integer Solu5ons (SIS) A: Z m --> (Z q ) n m

279 views • 15 slides
Designated Verifier Signature Schemes - An Overview Liina Kamm October 10, 2005 Structure

Designated Verifier Signature Schemes - An Overview Liina Kamm October 10, 2005 Structure

Designated Verifier Signature Schemes - An Overview Liina Kamm October 10, 2005 Structure The Jakobsson-Sako-Impagliazzo Scheme Security notions for DVS schemes DVS Scheme with tight reduction to DDH in NPRO Universal Designated

620 views • 42 slides
Delegating a Product of Group Exponentiations with Application to Signature Schemes Presenter:

Delegating a Product of Group Exponentiations with Application to Signature Schemes Presenter:

Number-Theoretic Methods in Cryptology 2019 Delegating a Product of Group Exponentiations with Application to Signature Schemes Presenter: Giovanni Di Crescenzo Perspecta Labs Inc. (also doing business as Applied Communication Sciences)

548 views • 33 slides
Dynamic Storage Dynamic Storage Federation Federation based on open protocols based on open

Dynamic Storage Dynamic Storage Federation Federation based on open protocols based on open

EGI Community Forum 2013 Dynamic Storage Dynamic Storage Federation Federation based on open protocols based on open protocols Oliver Keeble Adrien Devresse Ricardo Brito da Rocha (presenter) Alejandro Alvarez Fabrizio Furano Patrick

444 views • 21 slides
On Key -collisions in (EC)DSA Schemes (1) Let ( m , S ) be a message and its signature.

On Key -collisions in (EC)DSA Schemes (1) Let ( m , S ) be a message and its signature.

On Key -collisions in (EC)DSA Schemes CRYPTO 2002 Rump Session Tom Rosa tomas.rosa@i.cz, http://crypto.hyperlink.cz ICZ, a.s. Dept. of Computer Science, CTU in Prague CZECH REPUBLIC On Key -collisions in (EC)DSA Schemes (1) Let ( m

519 views • 5 slides
Efficient Redactable Signature and Application to Anonymous Credentials Olivier Sanders Orange

Efficient Redactable Signature and Application to Anonymous Credentials Olivier Sanders Orange

Efficient Redactable Signature and Application to Anonymous Credentials Olivier Sanders Orange Labs PKC 2020 Context PKC 2020 p 2 Digital Signature Digital signature can be used to authenticate digital data ... Name Birthdate Address

437 views • 33 slides
LMS vs XMSS: Comparison of Stateful Hash-Based Signature Schemes on ARM Cortex-M4 12th

LMS vs XMSS: Comparison of Stateful Hash-Based Signature Schemes on ARM Cortex-M4 12th

LMS vs XMSS: Comparison of Stateful Hash-Based Signature Schemes on ARM Cortex-M4 12th International Conference on Cryptology, Africacrypt 2020 Fabio Campos 1 Tim Kohlstadt 1 Steffen Reith 1 ottinger 2 Marc St July 19, 2020 1 RheinMain

399 views • 29 slides
Group-Signature Schemes on Constrained Devices Raphael Spreitzer and J orn-Marc Schmidt

Group-Signature Schemes on Constrained Devices Raphael Spreitzer and J orn-Marc Schmidt

Group-Signature Schemes on Constrained Devices Raphael Spreitzer and J orn-Marc Schmidt Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria

335 views • 14 slides
Enforcing honesty of certification authorities: Tagged one-time signature schemes Bertram

Enforcing honesty of certification authorities: Tagged one-time signature schemes Bertram

Enforcing honesty of certification authorities: Tagged one-time signature schemes Bertram Poettering and Douglas Stebila Information Security Group Royal Holloway, University of London bertram.poettering@rhul.ac.uk Stanford, January 11, 2013

454 views • 41 slides
Modification tolerant signature schemes: location and correction Thais Bardini Idalino, Lucia

Modification tolerant signature schemes: location and correction Thais Bardini Idalino, Lucia

Modification tolerant signature schemes: location and correction Thais Bardini Idalino, Lucia Moura, Carlisle Adams tbardini@sfu.ca, lmoura@uottawa.ca, cadams@uottawa.ca Indocrypt, December 17th 2019 1/31 Introduction MTSS Digital Signatures

637 views • 35 slides
Formally Certifying the Security of Digital Signature Schemes Santiago Zanella 1 , 2 Benjamin

Formally Certifying the Security of Digital Signature Schemes Santiago Zanella 1 , 2 Benjamin

Formally Certifying the Security of Digital Signature Schemes Santiago Zanella 1 , 2 Benjamin Grgoire 1 , 2 Gilles Barthe 3 Federico Olmedo 3 1 Microsoft Research - INRIA Joint Centre, France 2 INRIA Sophia Antipolis - Mditerrane, France 3

837 views • 51 slides
Flaws in Applying Proof Methodologies to Signature Schemes Jacques Stern - David Pointcheval

Flaws in Applying Proof Methodologies to Signature Schemes Jacques Stern - David Pointcheval

Flaws in Applying Proof Methodologies to Signature Schemes Jacques Stern - David Pointcheval Ecole normale suprieure - France John Malone-Lee - Nigel Smart University of Bristol - UK Summary Summary The methodology of provable

479 views • 12 slides
Harnessing Biased Faults in Attacks on ECC-based Signature Schemes Kimmo Jrvinen 1 , Cline

Harnessing Biased Faults in Attacks on ECC-based Signature Schemes Kimmo Jrvinen 1 , Cline

Harnessing Biased Faults in Attacks on ECC-based Signature Schemes Kimmo Jrvinen 1 , Cline Blondeau 1 , Dan Page 2 , Michael Tunstall 2 1 Aalto University, Department of Information and Computer Science, Finland 2 University of Bristol,

590 views • 39 slides
1 Pitfalls of Lock-Based Protocols (Cont.) The Two-Phase Locking Protocol The potential for

1 Pitfalls of Lock-Based Protocols (Cont.) The Two-Phase Locking Protocol The potential for

Concurrency Control Lock-Based Protocols Timestamp-Based Protocols Lecture 9 Concurrency Control Validation-Based Protocols Multiple Granularity Multiversion Schemes Deadlock Handling Chapter 16 Insert and Delete

780 views • 8 slides
A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for IT-Security Africacrypt 2010 1 / 13 RSA-Based Signature Schemes Na ve RSA signature scheme not secure under the standard definition of

647 views • 51 slides
Cryptography V: Digital Signatures Computer Security Lecture 6 David Aspinall School of

Cryptography V: Digital Signatures Computer Security Lecture 6 David Aspinall School of

Cryptography V: Digital Signatures Computer Security Lecture 6 David Aspinall School of Informatics University of Edinburgh 31st January 2013 Outline Basics Constructing signature schemes Security of signature schemes ElGamal DSA

1.15k views • 91 slides
Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature 1 Signature 2 Signature 2 http://comm ons.wikime dia.org/wiki/ File:Piasnic a- Signature 3 Signature 3 wodowskaz -0.jpg Ida Westerberg 1,2

388 views • 19 slides
On The Security of Unique- Witness Blind Signature Schemes December 2013 ASIACRYPT, Bangalore,

On The Security of Unique- Witness Blind Signature Schemes December 2013 ASIACRYPT, Bangalore,

On The Security of Unique- Witness Blind Signature Schemes December 2013 ASIACRYPT, Bangalore, India Foteini Baldimtsi, Anna Lysyanskaya 2 Blind Signatures [Chaum'82] Blind signatures are a special type of digital signatures. Signer is

439 views • 33 slides
Constructing Provably-Secure Identity-Based Signature Schemes Chethan Kamath Indian Institute of

Constructing Provably-Secure Identity-Based Signature Schemes Chethan Kamath Indian Institute of

Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Constructing Provably-Secure Identity-Based Signature Schemes Chethan Kamath Indian Institute of Science, Bangalore November 23, 2013 Overview Background

1.76k views • 77 slides
Signing a Linear Subspace: Signature Schemes for Network Coding David Mandell Freeman CWI &

Signing a Linear Subspace: Signature Schemes for Network Coding David Mandell Freeman CWI &

Signing a Linear Subspace: Signature Schemes for Network Coding David Mandell Freeman CWI & Universiteit Leiden IPAM Retreat: Securing Cyberspace 9 June 2009 Network coding [ACLY00] recipient router router router sender router

330 views • 18 slides
TOWARDS EFFICIENT VERIFICATION OF POPULATION PROTOCOLS Michael Blondin, Javier Esparza, Philipp

TOWARDS EFFICIENT VERIFICATION OF POPULATION PROTOCOLS Michael Blondin, Javier Esparza, Philipp

TOWARDS EFFICIENT VERIFICATION OF POPULATION PROTOCOLS Michael Blondin, Javier Esparza, Philipp J. Meyer Stefan Jaax TU Mnchen Population Protocols Population protocols (Angluin et al., 2004) are a model of Can be used to model networks of

471 views • 29 slides
Efficient Primitive Protocols for Sharemind Bingsheng Zhang 1 , 2 1 Cybernetica AS, Estonia 2

Efficient Primitive Protocols for Sharemind Bingsheng Zhang 1 , 2 1 Cybernetica AS, Estonia 2

Efficient Primitive Protocols for Sharemind Bingsheng Zhang 1 , 2 1 Cybernetica AS, Estonia 2 University of Tartu, Estonia Research Seminar in Cryptography, 2009s Outline Outline Introduction Preliminaries Integer Aritmetic Protocols Private

532 views • 24 slides
Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern

Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern

Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern Jacques.Stern@ens.fr Laboratoire dInformatique Ecole Normale Sup erieure 45, rue dUlm 75230 PARIS CEDEX 05 Security Proofs for

588 views • 12 slides

More recommend