1 / 24

Efficient Sequential Aggregate Signed Data

Efficient Sequential Aggregate Signed Data. Gregory Neven IBM Zurich Research Laboratory work done while at K.U.Leuven. Digital signatures. (pk,sk) ← KeyGen(). (pk),M, σ. σ ← Sign(sk,M). 0/1 ← Verify(pk,M,σ). Digital signatures. σ 1 ← Sign(sk 1 ,M 1 ).

dutch
Download Presentation

Efficient Sequential Aggregate Signed Data

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Efficient Sequential Aggregate Signed Data Gregory Neven IBM Zurich Research Laboratory work done while at K.U.Leuven

  2. Digital signatures (pk,sk) ← KeyGen() (pk),M,σ σ ← Sign(sk,M) 0/1 ←Verify(pk,M,σ)

  3. Digital signatures σ1← Sign(sk1,M1) (pk1,…,pkn),M1,…,Mn, σ1,…, σn σ1 … σn A i : 0/1 ←Verify(pki,Mi,σi) σn← Sign(skn,Mn)

  4. Aggregate signatures (AS) [BGLS03] Goal: |σ| < |σ1| + … + |σn| , preferably constant Motivation: certificate chains secure routing protocols save bandwidth (= battery life) for wireless devices σ1← Sign(sk1,M1) (pk1,…,pkn),M1,…,Mn, σ σ1 … σn σ ← Agg(σ1,…,σn) 0/1 ←Verify(pk,M,σ) σn← Sign(skn,Mn)

  5. Sequential aggregate signatures (SAS) [LMRS04] σ1← Sign(sk1,M1) Goal: |σ| < |σ1| + … + |σn| , preferably constant Motivation: certificate chains secure routing protocols save bandwidth (= battery life) for wireless devices σ1 σ2← Sign(sk2,M2,σ1) … σn-1 (pk1,…,pkn),M1,…,Mn, σ σ = σn← Sign(skn,Mn,σn-1) 0/1 ←Verify(pk,M,σ)

  6. Existing (S)AS schemes

  7. Drawbacks of existing schemes • Current drawbacks of pairings (BGLS, LOSSW) • trust in assumptions vs. factoring, RSA • no standardization • implementations • Rather inefficient verification (BGLS, LMRS) • BGLS: n pairings • LMRS: certified claw-free trapdoor permutations instantiation from RSA requires e > N → verification = signing = n full-length exps • Weak key setup model (LOSSW) plain public-key vs. knowledge of secret key (KOSK)

  8. Drawbacks of existing schemes • Security parameter flexibility (BGLS, LMRS, LOSSW) e.g. certificate chains • BGLS, LOSSW: no flexibility whatsoever • LMRS: increasing modulus size only → exact opposite of what we need • No (S)AS schemes for currently existing keys/certificates! security level cert1← Sign(sk1, ID2||pk2) cert1 1 cert2← Sign(sk2, IDU||pk, cert1) 2 cert2 σ ← Sign(sk, M, cert2) U

  9. Our contributions • Generalization of SAS to SASD • SASD scheme with • instantations from low-exponent RSA and factoring • efficient signing (1 exp + O(n) mult) and verification (O(n) mult) • full flexibility in modulus size • compatible with existing RSA/Rabin keys and certificates • Pure SAS scheme with same properties • Generalization of multi-signatures to multi-signed data (MSD) • Non-interactive MSD scheme from RSA and factoring (no pairings)

  10. Sequential aggregate signatures [LMRS04] σ1← Sign(sk1,M1) Goal: |σ| < |σ1| + … + |σn| σ1 σ2← Sign(sk2,M2,σ1) … σn-1 (pk1,…,pkn),M1,…,Mn, σ σ = σn← Sign(skn,Mn,σn-1) 0/1 ←Verify(pk,M,σ)

  11. Sequential aggregate signed data (SASD) Σ1← Sign(sk1,M1) Goal: minimize “net overhead” |Σ| – |M1| – … – |Mn| Σ1 Σ2← Sign(sk2,M2,Σ1) … Σn-1 Σ Σ = Σn← Sign(skn,Mn,Σn-1) (pk,M)/ ←Verify(Σ) ┴

  12. SASD scheme intuition Step 1. Full-domain hash with message recovery Trapdoor permutation π, message M = m||µ H = M m µ G π -1 = = Σ m X h net overhead ≈160 bits

  13. ? = SASD scheme intuition Step 1. Full-domain hash with message recovery Trapdoor permutation π, message M = m||µ H = M m µ G π = Σ m X h net overhead ≈160 bits

  14. SASD scheme intuition Step 2. Aggregating the hashes H M1 m1 µ1 = G -1 π 1 Σ1 m1 X1 h1 = H M2 m2 µ2 = G -1 π 2 Σ2 m2 X2 h2 = net overhead ≈ 2×160 = 320 bits

  15. SASD scheme intuition Step 2. Aggregating the hashes (intuition only – insecure!) H M1 m1 µ1 = G -1 π 1 Σ1 m1 X1 h1 = H M2 m2 µ2 = G -1 π 2 Σ2 m2 X2 h2 = net overhead ≈160 bits

  16. ? = SASD scheme intuition Step 2. Aggregating the hashes (intuition only – insecure!) H M1 m1 µ1 = G π 1 Σ1 m1 X1 h1 = H M2 m2 µ2 = G π 2 Σ2 m2 X2 h2 = net overhead ≈160 bits

  17. SASD scheme intuition Step 3. Recovering any type of data (intuition only – insecure!) H M1 m1 µ1 = = G -1 π 1 Σ1 m1 X1 h1 = = H M2 X1 G -1 π 2 Σ2 M2 X2 h2 = net overhead ≈160 bits

  18. The SASD scheme Step 4. Getting the details right: see paper. Theorem. If there exists a forger that (t,qS,qH,qG,n,ε)-breaks SASD in the random oracle model, then there exists an algorithm that (t’,ε’)-finds a claw in Π, where

  19. Comparison of SAS(D) schemes P = pairing E = exponentiation M = multiplication n = #signatures in aggregate

  20. Non-interactive multi-signatures (MS) n signatures on same message M Goal: |σ| < |σ1| + … + |σn| Sign(sk1,M) σ1 (pk1,…,pkn), M, σ … σn 0/1 ←Verify(pk,M,σ) Σ← Agg(σ1,…, σn) Sign(skn,M)

  21. Non-interactive multi-signed data (MSD) n signatures on same message M Goal: minimize “net overhead” |Σ| – |M| Sign(sk1,M) Σ1 Σ … Σn (pk,M)/ ←Verify(Σ) Σ← Agg(Σ1,…, Σn) ┴ Sign(skn,M)

  22. MSD scheme Each partial signature contains part of M H M m1 µ1 m2 µ2 m3 µ3 m4 = G G -1 π G 1 -1 π 2 -1 π 3 Σ m1 Σ1 m2 Σ2 m3 Σ3 m4 h = net overhead ≈160 bits Who takes which part of M? • Fully non-interactive: pos = hash(πi,M) • Known co-signers: fixed (e.g. lexicographic) order

  23. Comparison of MS(D) schemes P = pairing E = exponentiation M = multiplication n = #signatures in aggregate

  24. Closing remarks • In summary: propose SAS, SASD, MSD schemes • first based on low-exponent RSA and factoring • outperform existing schemes in many respects • free choice of modulus size • work with existing RSA/Rabin keys • Tight reduction using Katz-Wang, or next talk • Full version: ePrint Report 2008/063

More Related