signatures
play

Signatures Lecture 22 Signatures Signatures Signatures with - PowerPoint PPT Presentation

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties Signatures Signatures with various functionality/properties Constructions come in different flavors (well sample each flavor): Signatures


  1. Waters Signature A regular (non-aggregate) signature scheme that is secure if the Computational Diffie-Hellman assumption holds in a group with bilinear pairings (no RO) Keys: Signing key is x and verification key is X := e(g,g) x , and generators u 0 ,u 1 ,....,u k (for k bit long messages)

  2. Waters Signature A regular (non-aggregate) signature scheme that is secure if the Computational Diffie-Hellman assumption holds in a group with bilinear pairings (no RO) Keys: Signing key is x and verification key is X := e(g,g) x , and generators u 0 ,u 1 ,....,u k (for k bit long messages) Sign(m;x) = (R,S) where R=g r and S = g x H r , where 
 H = π (m) = u 0 .u 1m1 ...u kmk

  3. Waters Signature A regular (non-aggregate) signature scheme that is secure if the Computational Diffie-Hellman assumption holds in a group with bilinear pairings (no RO) Keys: Signing key is x and verification key is X := e(g,g) x , and generators u 0 ,u 1 ,....,u k (for k bit long messages) Sign(m;x) = (R,S) where R=g r and S = g x H r , where 
 H = π (m) = u 0 .u 1m1 ...u kmk Verify(m,(R,S);X,u,u 1 ,....,u k ): check e(S,g) = e(R,H).X

  4. Waters Signature A regular (non-aggregate) signature scheme that is secure if the Computational Diffie-Hellman assumption holds in a group with bilinear pairings (no RO) Keys: Signing key is x and verification key is X := e(g,g) x , and generators u 0 ,u 1 ,....,u k (for k bit long messages) Sign(m;x) = (R,S) where R=g r and S = g x H r , where 
 H = π (m) = u 0 .u 1m1 ...u kmk Verify(m,(R,S);X,u,u 1 ,....,u k ): check e(S,g) = e(R,H).X Extended to a sequential aggregate scheme [LOSSW’06] →

  5. A Sequential Aggregate Signature Scheme

  6. A Sequential Aggregate Signature Scheme Keys: For user i verification key is X i := e(g,g) xi , and u i0 ,u i1 ,....,u ik . Signing key is x i and y i0 ,y i1 ,..,y ik where u ij = g yij

  7. A Sequential Aggregate Signature Scheme Keys: For user i verification key is X i := e(g,g) xi , and u i0 ,u i1 ,....,u ik . Signing key is x i and y i0 ,y i1 ,..,y ik where u ij = g yij Signature = (R,S), where R=g r1+..+rn , S = g x1+..+xn (H 1 ... H n ) r1+..+rn where H i = u i0 .(u i1 ) m1 ...(u ik ) mk

  8. A Sequential Aggregate Signature Scheme Keys: For user i verification key is X i := e(g,g) xi , and u i0 ,u i1 ,....,u ik . Signing key is x i and y i0 ,y i1 ,..,y ik where u ij = g yij Signature = (R,S), where R=g r1+..+rn , S = g x1+..+xn (H 1 ... H n ) r1+..+rn where H i = u i0 .(u i1 ) m1 ...(u ik ) mk Verification of signature (R,S) for messages (m 1 ,...,m n ): check if e(S,g) = e(R,H 1 )X 1 ... e(R,H n )X n

  9. A Sequential Aggregate Signature Scheme Keys: For user i verification key is X i := e(g,g) xi , and u i0 ,u i1 ,....,u ik . Signing key is x i and y i0 ,y i1 ,..,y ik where u ij = g yij Signature = (R,S), where R=g r1+..+rn , S = g x1+..+xn (H 1 ... H n ) r1+..+rn where H i = u i0 .(u i1 ) m1 ...(u ik ) mk Verification of signature (R,S) for messages (m 1 ,...,m n ): check if e(S,g) = e(R,H 1 )X 1 ... e(R,H n )X n Signing done sequentially by individual signers. Initially set R=1 and S = 1 (identity in the group). Then:

  10. A Sequential Aggregate Signature Scheme Keys: For user i verification key is X i := e(g,g) xi , and u i0 ,u i1 ,....,u ik . Signing key is x i and y i0 ,y i1 ,..,y ik where u ij = g yij Signature = (R,S), where R=g r1+..+rn , S = g x1+..+xn (H 1 ... H n ) r1+..+rn where H i = u i0 .(u i1 ) m1 ...(u ik ) mk Verification of signature (R,S) for messages (m 1 ,...,m n ): check if e(S,g) = e(R,H 1 )X 1 ... e(R,H n )X n Signing done sequentially by individual signers. Initially set R=1 and S = 1 (identity in the group). Then: AddSign(m i ,(R’,S’); x i , y i0 ,y i1 ,..,y ik ) = ReRand(R’’,S’’), where R’’=R’ and S’’ = S’.g xi .(R’) hi where h i s.t. g hi = H i

  11. A Sequential Aggregate Signature Scheme Keys: For user i verification key is X i := e(g,g) xi , and u i0 ,u i1 ,....,u ik . Signing key is x i and y i0 ,y i1 ,..,y ik where u ij = g yij Signature = (R,S), where R=g r1+..+rn , S = g x1+..+xn (H 1 ... H n ) r1+..+rn where H i = u i0 .(u i1 ) m1 ...(u ik ) mk Verification of signature (R,S) for messages (m 1 ,...,m n ): check if e(S,g) = e(R,H 1 )X 1 ... e(R,H n )X n Signing done sequentially by individual signers. Initially set R=1 and S = 1 (identity in the group). Then: AddSign(m i ,(R’,S’); x i , y i0 ,y i1 ,..,y ik ) = ReRand(R’’,S’’), where R’’=R’ and S’’ = S’.g xi .(R’) hi where h i s.t. g hi = H i ReRand(R’’,S’’) = (R,S), where R = R’’g t and S = S’’ (H 1 ..H i ) t

  12. Batch Verification

  13. Batch Verification To speed up verification of a collection of signatures

  14. Batch Verification To speed up verification of a collection of signatures Batching done by the verifier

  15. Batch Verification To speed up verification of a collection of signatures Batching done by the verifier Incomparable to aggregate signatures

  16. Batch Verification To speed up verification of a collection of signatures Batching done by the verifier Incomparable to aggregate signatures Batch verifiable signature scheme reduces verification time, but does not reduce the total size of signatures that verifier gets. No co-ordination among signers.

  17. Batch Verification To speed up verification of a collection of signatures Batching done by the verifier Incomparable to aggregate signatures Batch verifiable signature scheme reduces verification time, but does not reduce the total size of signatures that verifier gets. No co-ordination among signers. Aggregate signatures saves on bandwidth and verification time, but needs coordination among signers and does not allow un-aggregating the signatures

  18. Batch Verification

  19. Batch Verification Idea: to verify several equations of the form Z i = g zi , pick random weights w i and check Π i Z iwi = g Σ zi.wi

  20. Batch Verification Idea: to verify several equations of the form Z i = g zi , pick random weights w i and check Π i Z iwi = g Σ zi.wi If one (or more) equation is wrong, probability of verifying is at most 1/ q, where q is the size of the domain of w i

  21. Batch Verification Idea: to verify several equations of the form Z i = g zi , pick random weights w i and check Π i Z iwi = g Σ zi.wi If one (or more) equation is wrong, probability of verifying is at most 1/ q, where q is the size of the domain of w i Efficiency by using a small domain for w i . e.g., use w i ∈ {0,1}, and repeat k times (independent of number of signatures)

  22. Batch Verification Idea: to verify several equations of the form Z i = g zi , pick random weights w i and check Π i Z iwi = g Σ zi.wi If one (or more) equation is wrong, probability of verifying is at most 1/ q, where q is the size of the domain of w i Efficiency by using a small domain for w i . e.g., use w i ∈ {0,1}, and repeat k times (independent of number of signatures) Similarly for pairing equations, but with further optimizations

  23. Batch Verification Idea: to verify several equations of the form Z i = g zi , pick random weights w i and check Π i Z iwi = g Σ zi.wi If one (or more) equation is wrong, probability of verifying is at most 1/ q, where q is the size of the domain of w i Efficiency by using a small domain for w i . e.g., use w i ∈ {0,1}, and repeat k times (independent of number of signatures) Similarly for pairing equations, but with further optimizations e.g. Waters’ signature: e(S,g)=e(R,H).X (g same for all signers)

  24. Batch Verification Idea: to verify several equations of the form Z i = g zi , pick random weights w i and check Π i Z iwi = g Σ zi.wi If one (or more) equation is wrong, probability of verifying is at most 1/ q, where q is the size of the domain of w i Efficiency by using a small domain for w i . e.g., use w i ∈ {0,1}, and repeat k times (independent of number of signatures) Similarly for pairing equations, but with further optimizations e.g. Waters’ signature: e(S,g)=e(R,H).X (g same for all signers) Can save on number of pairing operations using 
 Π i e(S i ,g) wi = Π i e(S iwi ,g) = e( Π i S iwi ,g)

  25. Group Signatures

  26. Group Signatures To sign a message “anonymously” [CvH’91]

  27. Group Signatures To sign a message “anonymously” [CvH’91] Signature shows that message was signed by some member of a group

  28. Group Signatures To sign a message “anonymously” [CvH’91] Signature shows that message was signed by some member of a group But a group manager can “trace” the signer

  29. Group Signatures To sign a message “anonymously” [CvH’91] Signature shows that message was signed by some member of a group But a group manager can “trace” the signer However, the group manager or other group members “cannot frame” a member

  30. Group Signatures

  31. Group Signatures Full-Anonymity : Adversary gives (m,ID 0 ,ID 1 ) and gets back Sign(m;ID b ) for a random bit b. Advantage of the adversary in finding b should be negligible.

  32. Group Signatures Full-Anonymity : Adversary gives (m,ID 0 ,ID 1 ) and gets back Sign(m;ID b ) for a random bit b. Advantage of the adversary in finding b should be negligible. Adversary knows secret keys of all group-members, and has oracle access to the “tracing algorithm” (but not allowed to query it on the challenge)

  33. Group Signatures Full-Anonymity : Adversary gives (m,ID 0 ,ID 1 ) and gets back Sign(m;ID b ) for a random bit b. Advantage of the adversary in finding b should be negligible. Adversary knows secret keys of all group-members, and has oracle access to the “tracing algorithm” (but not allowed to query it on the challenge) Implies unlinkability (can’ t link signatures from same user)

  34. Group Signatures Full-Anonymity : Adversary gives (m,ID 0 ,ID 1 ) and gets back Sign(m;ID b ) for a random bit b. Advantage of the adversary in finding b should be negligible. Adversary knows secret keys of all group-members, and has oracle access to the “tracing algorithm” (but not allowed to query it on the challenge) Implies unlinkability (can’ t link signatures from same user) Full-Traceability : If a set of group members collude and create a valid signature, the tracing algorithm will trace at least one member of the set. This holds even if the group manager is passively corrupt.

  35. Group Signatures Full-Anonymity : Adversary gives (m,ID 0 ,ID 1 ) and gets back Sign(m;ID b ) for a random bit b. Advantage of the adversary in finding b should be negligible. Adversary knows secret keys of all group-members, and has oracle access to the “tracing algorithm” (but not allowed to query it on the challenge) Implies unlinkability (can’ t link signatures from same user) Full-Traceability : If a set of group members collude and create a valid signature, the tracing algorithm will trace at least one member of the set. This holds even if the group manager is passively corrupt. Implies unforgeability (i.e., with no group members colluding with it, adversary cannot produce a valid signature) and framing-resistance (even colluding with the group manager)

  36. Group Signatures

  37. Group Signatures A general construction: using a digital signature scheme, a CCA secure encryption scheme, and a “simulation-sound” NIZK [BMW’03]

  38. Group Signatures A general construction: using a digital signature scheme, a CCA secure encryption scheme, and a “simulation-sound” NIZK [BMW’03] Each member’ s signing key SK* i = (SK i ,VK i ,ID i , σ ) where (SK i ,VK i ) are signing/verification keys, PK i is an encryption key and σ is a signature (w.r.t. VK group ) in from the group-manager on (VK i ,ID i )

  39. Group Signatures A general construction: using a digital signature scheme, a CCA secure encryption scheme, and a “simulation-sound” NIZK [BMW’03] Each member’ s signing key SK* i = (SK i ,VK i ,ID i , σ ) where (SK i ,VK i ) are signing/verification keys, PK i is an encryption key and σ is a signature (w.r.t. VK group ) in from the group-manager on (VK i ,ID i ) Group signature’ s verification key = (VK group , PK group , CRS group )

  40. Group Signatures A general construction: using a digital signature scheme, a CCA secure encryption scheme, and a “simulation-sound” NIZK [BMW’03] Each member’ s signing key SK* i = (SK i ,VK i ,ID i , σ ) where (SK i ,VK i ) are signing/verification keys, PK i is an encryption key and σ is a signature (w.r.t. VK group ) in from the group-manager on (VK i ,ID i ) Group signature’ s verification key = (VK group , PK group , CRS group ) Signature is (C, π ), where:

  41. Group Signatures A general construction: using a digital signature scheme, a CCA secure encryption scheme, and a “simulation-sound” NIZK [BMW’03] Each member’ s signing key SK* i = (SK i ,VK i ,ID i , σ ) where (SK i ,VK i ) are signing/verification keys, PK i is an encryption key and σ is a signature (w.r.t. VK group ) in from the group-manager on (VK i ,ID i ) Group signature’ s verification key = (VK group , PK group , CRS group ) Signature is (C, π ), where: s = Sign(message; SK i )

  42. Group Signatures A general construction: using a digital signature scheme, a CCA secure encryption scheme, and a “simulation-sound” NIZK [BMW’03] Each member’ s signing key SK* i = (SK i ,VK i ,ID i , σ ) where (SK i ,VK i ) are signing/verification keys, PK i is an encryption key and σ is a signature (w.r.t. VK group ) in from the group-manager on (VK i ,ID i ) Group signature’ s verification key = (VK group , PK group , CRS group ) Signature is (C, π ), where: s = Sign(message; SK i ) C = Encrypt PKgroup (s,SK* i )

  43. Group Signatures A general construction: using a digital signature scheme, a CCA secure encryption scheme, and a “simulation-sound” NIZK [BMW’03] Each member’ s signing key SK* i = (SK i ,VK i ,ID i , σ ) where (SK i ,VK i ) are signing/verification keys, PK i is an encryption key and σ is a signature (w.r.t. VK group ) in from the group-manager on (VK i ,ID i ) Group signature’ s verification key = (VK group , PK group , CRS group ) Signature is (C, π ), where: s = Sign(message; SK i ) C = Encrypt PKgroup (s,SK* i ) π = a proof (w.r.t CRS group ) that C is correct

  44. Group Signatures A general construction: using a digital signature scheme, a CCA secure encryption scheme, and a “simulation-sound” NIZK [BMW’03] Each member’ s signing key SK* i = (SK i ,VK i ,ID i , σ ) where (SK i ,VK i ) are signing/verification keys, PK i is an encryption key and σ is a signature (w.r.t. VK group ) in from the group-manager on (VK i ,ID i ) Group signature’ s verification key = (VK group , PK group , CRS group ) Signature is (C, π ), where: s = Sign(message; SK i ) C = Encrypt PKgroup (s,SK* i ) π = a proof (w.r.t CRS group ) that C is correct Tracing algorithm decrypts C to find SK* i and hence ID i

  45. Ring Signatures

  46. Ring Signatures For “leaking secrets”

  47. Ring Signatures For “leaking secrets” Similar to group signatures, but with unwitting collaborators

  48. Ring Signatures For “leaking secrets” Similar to group signatures, but with unwitting collaborators i.e. the “ring” is not a priori fixed

  49. Ring Signatures For “leaking secrets” Similar to group signatures, but with unwitting collaborators i.e. the “ring” is not a priori fixed And no manager who can trace the signer

  50. Ring Signatures

  51. Ring Signatures Recall T-OWP/RO based signature

  52. Ring Signatures Recall T-OWP/RO based signature (SK,VK) = (F -1 ,F)

  53. Ring Signatures Recall T-OWP/RO based signature (SK,VK) = (F -1 ,F) Sign(m;F -1 ) = F -1 (H(m))

  54. Ring Signatures Recall T-OWP/RO based signature (SK,VK) = (F -1 ,F) Sign(m;F -1 ) = F -1 (H(m)) Verify(S;F): check if H(m) = F(S)

  55. Ring Signatures Recall T-OWP/RO based signature (SK,VK) = (F -1 ,F) Sign(m;F -1 ) = F -1 (H(m)) Verify(S;F): check if H(m) = F(S) Extended to a ring signature [RST’01]

  56. Ring Signatures Recall T-OWP/RO based signature (SK,VK) = (F -1 ,F) Sign(m;F -1 ) = F -1 (H(m)) Verify(S;F): check if H(m) = F(S) Extended to a ring signature [RST’01] Verify(m, (S 1 ,...,S n ); (F 1 ,...,F n )) : check H(m) = F 1 (S 1 ) + ... + F n (S n )

  57. Ring Signatures Recall T-OWP/RO based signature (SK,VK) = (F -1 ,F) Sign(m;F -1 ) = F -1 (H(m)) Verify(S;F): check if H(m) = F(S) Extended to a ring signature [RST’01] Verify(m, (S 1 ,...,S n ); (F 1 ,...,F n )) : check H(m) = F 1 (S 1 ) + ... + F n (S n ) Sign (m; F 1-1 ,F 2 ,...,F n ) = (S 1 ,...,S n ) where S 2 ,...,S n are random and S 1 = F 1-1 ( H(m) - F 2 (S 2 ) - ... - F n (S n ) )

  58. Ring Signatures Recall T-OWP/RO based signature (SK,VK) = (F -1 ,F) Sign(m;F -1 ) = F -1 (H(m)) Verify(S;F): check if H(m) = F(S) Extended to a ring signature [RST’01] Verify(m, (S 1 ,...,S n ); (F 1 ,...,F n )) : check H(m) = F 1 (S 1 ) + ... + F n (S n ) Sign (m; F 1-1 ,F 2 ,...,F n ) = (S 1 ,...,S n ) where S 2 ,...,S n are random and S 1 = F 1-1 ( H(m) - F 2 (S 2 ) - ... - F n (S n ) ) Unwitting collaborators: F i ’ s could be the verification keys for a standard signature scheme

  59. Mesh Signatures

  60. Mesh Signatures Ring signature allows statements of the form 
 (P 1 signed m) or (P 2 signed m) or .... or (P n signed m)

  61. Mesh Signatures Ring signature allows statements of the form 
 (P 1 signed m) or (P 2 signed m) or .... or (P n signed m) Mesh signatures extend this to more complex statements

  62. Mesh Signatures Ring signature allows statements of the form 
 (P 1 signed m) or (P 2 signed m) or .... or (P n signed m) Mesh signatures extend this to more complex statements e.g., (P 1 signed m 1 ) or ( (P 2 signed m 2 ) and (P 3 signed m 3 ) )

  63. Mesh Signatures Ring signature allows statements of the form 
 (P 1 signed m) or (P 2 signed m) or .... or (P n signed m) Mesh signatures extend this to more complex statements e.g., (P 1 signed m 1 ) or ( (P 2 signed m 2 ) and (P 3 signed m 3 ) ) e.g., some two out of the three statements (P 1 signed m 1 ), (P 2 signed m 2 ), (P 3 signed m 3 ) hold

Recommend


More recommend