250 likes | 387 Views
Server-Aided Verification : Theory and Practice. Source: ASIACRYPT 2005, LNCS 3788, pp. 605-623 Author: Marc Girault and David Lefranc Presenter: Chun-Yen Lee. Outline. Introduction Model SAV Protocols for Identification Schemes First SAV Protocols for Pairing-Based Schemes Conclusion.
E N D
Server-Aided Verification : Theory and Practice Source: ASIACRYPT 2005, LNCS 3788, pp. 605-623 Author: Marc Girault and David Lefranc Presenter: Chun-Yen Lee
Outline • Introduction • Model • SAV Protocols for Identification Schemes • First SAV Protocols for Pairing-Based Schemes • Conclusion
Introduction Prover Verifier Server
Outline • Introduction • Model • An Illustrative Example • Definitions • Security Model in the Case of Signature Scheme • SAV Protocols for Identification Schemes • First SAV Protocols for Pairing-Based Schemes • Conclusion
An Illustrative Example • In this scheme,the signer computes a signature of the message m by extracting an root modulo n of f(m), where f is specific to the exact scheme which is used . • The verifier checks that • If the equality holds, is accepted; otherwise, it is rejected.
An Illustrative Example server verifier
An Illustrative Example server verifier
An Illustrative Example • what about a possible collusion between a cheating prover and the server?
An Illustrative Example cheater server verifier
Outline • Introduction • Model • An Illustrative Example • Definitions • Security Model in the Case of Signature Scheme • SAV Protocols for Identification Schemes • First SAV Protocols for Pairing-Based Schemes • Conclusion
Definitions • Definition 1(Legitimate/Misbehaving/Cheating) • P : prover • V : verifier • : a prover which deviates from the protocol • cheating • misbehaving • : aninteractive proof of knowledge between P and V
Definitions • Definition 2(SAV protocol) • : aninteractive proof of knowledge between P and V, with a common input I of size|I|, and which halts by verifying a predicate . • if the predicate is satisfied • if not • : the computational cost of V
Definitions • Definition 2(SAV protocol) • : aninteractive proof of knowledge between P , V and S(server), equal to the composition of two protocols • is equal to protocol without the verifiaction of ; • is an interactive protocol between V and S ; • V finally accepts or rejects I by verifying a final predicate • : the computational cost of V
Definitions • Definition 2(SAV protocol) • The protocol is said to be a server-aided verification (SAV) protocol for if • 1.(auxiliary completeness)
Definitions • Definition 2(SAV protocol) • The protocol is said to be a server-aided verification (SAV) protocol for if • 2.(auxiliary soundness) • 3.(computation gain) • The computational cost is strictly less than
Definitions • Definition 2(SAV protocol) • The protocol is said to be a server-aided verification (SAV) protocol for if • If non-repudiation is required, must also verify: • (auxiliary non-repudiation)
Outline • Introduction • Model • SAV Protocols for Identification Schemes • An Unconditionally-Unknown-Predicate-Based SAV Protocol • A Hard-to-Solve-Predicate-Based SAV Protocol • First SAV Protocols for Pairing-Based Schemes • Conclusion
The Lim-Lee modification of the Schnorr identification scheme
The Lim-Lee modification of the Schnorr identification scheme • Theorem 1. • Let I be a public key (g, p, q, v) and tthe security parameter for the Schnorr scheme. • The Lim-Lee protocol is a SAV protocol for the Schnorr Scheme if |q|>t and log2|I|=o(t).
Definitions • Definition 2(SAV protocol) • The protocol is said to be a server-aided verification (SAV) protocol for if • 1.(auxiliary completeness)
The Lim-Lee modification of the Schnorr identification scheme • Proof : • : • : Auxiliary completeness.
The Lim-Lee modification of the Schnorr identification scheme
The Lim-Lee modification of the Schnorr identification scheme • Auxiliary soundness. • The entropy over k is exactly equal to t. • k is unconditionally unknown • only one value k satisfies the final equation • : the probability is equal to 2-t • This probability is negligible if log2|I|=o(t)
The Lim-Lee modification of the Schnorr identification scheme • Computational gain. • Schnorr scheme, |y|=|q| and |c|=|k|=t • = 1.5|q|+0.25|t| modular multiplications • Lim-Lee scheme • : 1.75t modular multiplications • multiplying by Z requires one more • = 1.75t+1modular multiplications • If we omit the negligible cost ( ) • If |q|>t,1.5(|q|-t)-1>0
The Lim-Lee modification of the Schnorr identification scheme • Auxiliary non-repudiation • As the security of the SAV relies on the perfect privacy of k, i.e the unconditional security of the transformation over y. • even the misbehaving prover has no advantage over a cheater to determine this value k.