1 / 15

Sequential Aggregate Signatures and Multisignatures Without Random Oracles

Sequential Aggregate Signatures and Multisignatures Without Random Oracles. Steve Lu, Rafail Ostrovsky, Amit Sahai, Hovav Shacham, and Brent Waters. Secure BGP. BGP “Speakers” send path updates messages S-BGP sequence of messages + sigs. 4096 byte size limit. (M1,  1 ).

yoshio-austin
Download Presentation

Sequential Aggregate Signatures and Multisignatures Without Random Oracles

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Sequential Aggregate Signatures and MultisignaturesWithout Random Oracles Steve Lu, Rafail Ostrovsky, Amit Sahai, Hovav Shacham, and Brent Waters

  2. Secure BGP • BGP “Speakers” send path updates messages • S-BGP sequence of messages + sigs. • 4096 byte size limit (M1,1) (M1,1), (M2,2), (M3,3) (M1,1), (M2,2)

  3. Aggregate Sigs [BGLS03] Sign Aggregate

  4. Verisign Versign Europe NatWest NatWest WWW Aggregate Signatures [BGLS03] • A single short aggregate provides nonrepudiation for many different messages under many different keys • More general than multisignatures • Applications: • X.509 certificate chains • Secure BGP route attestations • PGP web of trust

  5. BGLS Aggregate Sigs BLS Sigs: PK = ga SK=a Sign(SK,M): =H(M)a Verify(PK,M,): e(,g)=e( H(M), PK) Secure in R.O. Model --- Deterministic Signatures

  6. BGLS Aggregate Sigs PKi = gai SKi=ai Sign(SKi,Mi): i=H(Mi)ai Aggregate(1,…n): *=i=1…ni Verify(PKi,M1,…,Mn ,*): e(*,g)=i=1,…n e( H(Mi), PKi) Verification requires n pairings

  7. Difficulty w/o Random Oracles • Known efficient signatures have a random component • Strong RSA sigs[GHR’ 99, CS’99] • B-Map [BB’04,CL’04.W’05] • Tree- sigs • Difficult to aggregate • Independent signatures => Independent randomness

  8. Sequential Aggregates [LMRS’04] • Signing and Aggregation are a single operation • Inherently sequenced; not appropriate for PGP Sign and Aggregate

  9. Our Approach • Build from W’05 signatures • Signer uses same randomess from previous sig • Then re-randomizes

  10. Our Aggregate Sigs W’05 Sigs: PK = e(g,g)a ,h, u1,…,um SK=a Sign(SK,M): =(’,’’)=ga (h i=1,…m uMi)r , g-r Verify(PK,M,): e( ’,g) e( ’’, h i=1,…m uMi)=e(g,g)a Secure w/o R.O.s

  11. Our Aggregate Sigs PKi = e(g,g)ai ,hi=gyi’, ui,1=gyi,1…,um, =gyi,m SK =ai ,yi’, yi,1,…,yi,m Agg(SKi,Mi,*=1,2): x=DL(h j=1,…m uMi,j ) • *=(’,’’)=ga2x1, 2 Verify(PK,M1,…Mn,*=(’,’’)): e( ’,g) e( ’’, i=1…n hjj=1,…m uMi,j)=i=1…n e(g,g)ai Know DL PK

  12. Comparisons Shorter than LMRS Faster Ver. than BGLS

  13. Summary and Open Problems • Sequential Aggregate Signatures w/o R.O. • Use same randomness sequentially • Arguably better Performance than R.O. schemes • Multi-Sigs and Verifiable Enc. Sigs • Shorter Public Parameters • Certificate Chains • Full Aggregate Signatures

  14. THE END

  15. Sequential Aggregate Chosen-Key Model • Nontriviality: • σ* is a valid sequential aggregate • challenge key pk = pkj* for some j; • No oracle query at pk1*,…,pkj*;M1*,…,Mj*. AggSign() oracle Adversary

More Related