1 / 20

Transitive Signatures based on Factoring and RSA

Transitive Signatures based on Factoring and RSA. Mihir Bellare (University of California, San Diego, USA) Gregory Neven (Katholieke Universiteit Leuven, Belgium). Standard digital signatures. SKG. ( spk , ssk ). 1 k. SSign. ssk. σ. M. SVf. spk. accept / reject. M. σ’. σ 2,3.

elroy
Download Presentation

Transitive Signatures based on Factoring and RSA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Transitive Signatures based on Factoring and RSA Mihir Bellare(University of California, San Diego, USA) Gregory Neven(Katholieke Universiteit Leuven, Belgium)

  2. Standard digital signatures SKG (spk,ssk) 1k SSign ssk σ M SVf spk accept /reject M σ’

  3. σ2,3 σ4,5 σ1,2 4,5 2,3 1,2 2 σ1,2 σ2,3 1 3 4 5 σ4,5 Transitive signatures [MR02] • Message is pair of nodes i,j TKG (tpk,tsk) 1k • Signing i,j = creating and authenticating edge {i,j} TSign tsk σi,j • An authenticated graph grows with time i,j TVf tpk accept /reject i,j σ’i,j

  4. 1,2,3 σ1,3 σ1,3 σ1,2 σ2,3 Transitive signatures [MR02] • Additional composition algorithm TKG (tpk,tsk) 1k • Authenticated graph is transitive closure of directly signed edges TSign tsk σi,j i,j TVf tpk accept /reject i,j σ’i,j 2 Comp σ1,2 σ2,3 tpk i,j,k σi,k 1 3 σi,j σj,k 4 5 σ4,5

  5. tpk 1,2 F 2 σ1,2 σ2,3 σ1,2 1,2 ║ 2,3 ║ 4,5 2,3 TSigntsk(·,·) 1 3 TSigntsk(·,·) σ1,3 σ2,3 σ1,2,σ2,3,σ4,5 σ1,4 4 5 4,5 σ4,5 σ4,5 {1,4}, σ1,4 Security of transitive signatures • Standard security definition of [GMR] doesn’t apply: composition allows forgery to some extent • New security goal [MR02]: • computationally infeasible to forge signatures not in transitive closure of the edges signed directly by the signer • even under “chosen-edge” attack

  6. Why transitive signatures? Applications? Micali and Rivest suggest • military chain-of-command (directed) • administrative domains (undirected) Compelling application yet to be found But a cool concept! J

  7. 1,y1 2,y2 2,y2 1,y1 3,y3 2,y2 1,y1 x2 ,y2 2 σ1,2 ← Z* R Signer assigns to each node i: N 1 3 x1 ,y1 x3 ,y3 • secret label xi i,yi • public label yi ← xie mod N • node certificate Verification of ( , , δ1,2): To sign edge {1,2}: • check node certificates • edge label δ1,2 ← x1·x2-1 mod N • check δ1,2 = y1·y2-1 mod N • signature σ1,2 = ( , , δ1,2) e RSATS-1: RSA based scheme [MR02] Assume standard signature scheme with • key pair (spk,ssk) • message M signed under ssk M tpk = (spk, N, e) tsk = ssk

  8. 2,y2 3,y3 1,y1 2,y2 3,y3 1,y1 σ1,3  σ1,3 = ( , , δ1,3) where δ1,3 = δ1,2·δ2,3 modN = (x1·x2-1)(x2·x3-1) modN =x1·x3-1 modN xi are kept in signer’s state Composition in RSATS-1 To compose signatures σ1,2 and σ2,3: σ1,2 = ( , , δ1,2) where δ1,2 =x1·x2-1 modN x2 ,y2 2,y2 2 σ1,2 σ2,3 σ2,3 = ( , , δ2,3) where δ2,3 =x2·x3-1 modN 1 3 x1 ,y1 x3 ,y3 1,y1 3,y3

  9. Non-adaptive security of RSATS-1 RSATS-1 can be proven transitively secure against forgery under non-adaptive chosen-edge attack if • RSA is one-way • underlying standard signature scheme is secure under chosen-message attack Is RSATS-1 secure under adaptive attack? • Neither proof nor attack known • Might rely on stronger properties of RSA than one-wayness • We consider security under one-more inversion [BNPS01]

  10. A is successful iff • xie = yi mod N for i=1..m • n < m Assumption: this problem is hard [BNPS01] z1 Used before • by [BNPS01] to prove security of Chaum’s blind signatures • by [BP02] to prove security of GQ identification scheme z1d mod N … zn znd mod N x1,…,xm RSA under one-more inversion N,e A Chall y1 Z* R yi … N ym RSA-1N,e(·)

  11. Adaptive security of RSATS-1 Theorem: RSATS-1 is transitively secure against forgery under adaptivechosen-message attack if • the one-more RSA-inversion problem is hard • the underlying standard signature scheme is secure under chosen-message attack.

  12. y2 y5 2 5 σ2,3 σ5,6 yi σ1,2 σ1,3 3 6 {1,2} {1,3} {2,3} y3 1 y6 y1y2-1 y1 y1 σ1,2 σ1,4 σ4,6 σ2,3 σ1,3 δ1,2 x1 4 σ1,4 y4 x1,…,x6 n1 nodes n2 nodes If A would know x3: (remember δi,j=xi·xj-1) n1-1 queries n2-1 queries x2 ← δ2,3·x3 y2y3-1 x1 ← δ1,2·x2 (n1-1)+(n2-1)+1 = n1+n2-1 queries δ2,3 < n1+n2 decrypted challenges Proof idea for RSATS-1 N,e (spk,N,e) Chall A F RSA-1

  13. 1,y1 1,y1 2,y2 3,y3 2,y2 2,y2 3,y3 1,y1 1,y1 x2 ,y2 Signer assigns to each node i: 2 σ1,2 σ2,3 • secret label xi 1 3 • public label yi ← xi2 mod N σ1,3 x1 ,y1 x3 ,y3 • node certificate ← Z* R N Signature σ1,2 = ( , , δ1,2) with δ1,2 = x1·x2-1 mod N i,yi Verification of σ1,2 : • check signatures on , • check δ1,2 = y1·y2-1 mod N 2 Composition of σ1,2 and σ2,3: σ1,3 = ( , , δ1,3) with δ1,3 = δ1,2·δ2,3 modN FBTS-1: Factoring based scheme tpk = (spk, N); tsk = ssk

  14. Theorem:FBTS-1 is transitively secure against forgery under adaptive chosen-message attack if factoring N is hard the underlying standard signature scheme is secure under chosen-message attack. Security of FBTS-1 Proof idea: • with probability 1/2, forgery gives second square root • signatures might leak information about known root → information-theoretic lemma needed

  15. x2 ,y2 • chooses secret label xi σ1,2 σ2,3 • computes public label yi = f(xi) • creates node certificate σ1,3 x1 ,y1 x3 ,y3 Signature σ1,2 = ( , , δ1,2) where δ1,2 = g(x1,x2) Composition of σ1,2 and σ2,3: σ1,3 = ( , , δ1,3) where δ1,3 = h(δ1,2,δ2,3) 2,y2 2,y2 Scheme f(xi) g(xi,xj) h(δi,j,δj,k) 1,y1 1,y1 1,y1 i,yi 3,y3 3,y3 RSATS-1 xie mod N xi·xj-1 mod N δi,j·δj,k mod N FBTS-1 xi2 mod N xi·xj-1 mod N δi,j·δj,k mod N Node certification paradigm For each node i, the signer: 2 1 3

  16. For each node i, signer lets: • public label yi ← Htpk(i) • secret label xi← “inversion” of yi(using trapdoor information in tsk) y2=Htpk(2) ,x2 RSATS-1 and FBTS-1, but not MRTS 2 σ1,2 σ2,3 Signature σ1,2 = δ1,2 where δ1,2 = f(x1,x2) 1 3 σ1,3 y1=Htpk(1) ,x1 y3=Htpk(3) ,x3 Composition of σ1,2 and σ2,3: σ1,3 = δ1,3 where δ1,3 = g(δ1,2, δ2,3) Eliminating node certificates Let Htpk be a public hash function

  17. FBTS-2: Modifications needed because public labels have to be squares mod N Theorem:FBTS-2 is transitively secure against forgery under adaptive chosen-message attack if • factoring N is hard • HN: {0,1}*→ZN[+1] is a random oracle. * RSATS-2 and FBTS-2 RSATS-2:Straightforward application of this idea to RSATS-1 Theorem:RSATS-2 is transitively secure against forgery under adaptive chosen-message attack if • the one-more RSA-inversion problem is hard • HN: {0,1}*→ZN is a random oracle. *

  18. Z* N MRTS Discrete logarithmsStandard signatures Yes 2 stand. sigs2 points in G2 points in Zq RSATS-1 One-wayness of RSAStandard signatures No 2 stand. sigs3 points in Previously known schemes Scheme Security assumption Ad.? Signature size Trivial Standard signatures Yes O(path length)

  19. Z* Z* Z* N N N RO? No No No No FBTS-1 FactoringStandard signatures Yes No 2 stand sigs3 points in RSATS-2 One-more RSA Yes Yes 1 point in FBTS-2 Factoring Yes Yes 1 point in Scheme contributions Scheme Security assumption Ad.? Signature size Trivial Standard signatures Yes O(path length) MRTS Discrete logarithmsStandard signatures Yes 2 stand. sigs2 points in G2 points in Zq RSATS-1 One-wayness of RSAStandard sigs No 2 stand. sigs3 points in Z* N RSATS-1 One-more RSAStandard signatures Yes 2 stand sigs3 points in Z* N

  20. Questions?

More Related