Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups Masayuki Abe, NTT Jens Groth, University College London Kristiyan Haralambiev, NYU.

Slides:



Advertisements
Similar presentations
Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.
Advertisements

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Multi-Party Contract Signing Sam Hasinoff April 9, 2001.
Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.
BY JYH-HAW YEH COMPUTER SCIENCE DEPT. BOISE STATE UNIVERSITY Proxy Credential Forgery Attack to Two Proxy Signcryption Schemes.
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Cryptography and Network Security
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.
Ring Signatures of Sub- linear Size without Random Oracles Nishanth Chandran Jens Groth Amit Sahai University of California Los Angeles TexPoint fonts.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

Cryptography in Subgroups of Z n * Jens Groth UCLA.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
Sub-linear Size Pairing-Based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Lecturer: Moni Naor Foundations of Cryptography Lecture 9: Pseudo-Random Functions and Permutations.
Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London.
Cryptography and Network Security Chapter 13
Digital Signatures (DSs) The digital signatures cannot be separated from the message and attached to another The signature is not only tied to signer but.
Chapter 13 Digital Signature
By Jyh-haw Yeh Boise State University ICIKM 2013.
8. Data Integrity Techniques
Digital Signatures Applied Handbook of Cryptography: Chapt 11
11 Digital Signature.  Efficiency  Unforgeability : only signer can generate  Not reusable : not to use for other message  Unalterable : No modification.
Bob can sign a message using a digital signature generation algorithm
1 Lect. 15 : Digital Signatures RSA, ElGamal, DSA, KCDSA, Schnorr.
Fine-Tuning Groth-Sahai Proofs Alex Escala Scytl Secure Electronic Voting Jens Groth University College London.
CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)
Introduction to Proofs
CS 4/585: Cryptography Tom Shrimpton FAB
Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures Masayaki Abe, NTT Jens Groth, University College London Miyako Ohkubo, NICT.
Topic 22: Digital Schemes (2)
Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.
Cryptography Lecture 9 Stefan Dziembowski
Foundations of Cryptography Lecture 6 Lecturer: Moni Naor.
Cryptography and Network Security Chapter 13 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 9 - Public-Key Cryptography
Signcryption Parshuram Budhathoki Department of Mathematical Sciences Florida Atlantic University April 18, 2013
Class 5 Channels and Preview CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman
1 Number Theory and Advanced Cryptography 6. Digital Signature Chih-Hung Wang Sept Part I: Introduction to Number Theory Part II: Advanced Cryptography.
Alternative Wide Block Encryption For Discussion Only.
The Paillier Cryptosystem
Zero-Knowledge Argument for Polynomial Evaluation with Applications to Blacklists Stephanie Bayer Jens Groth University College London TexPoint fonts used.
New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.
多媒體網路安全實驗室 Anonymous ID Signature Scheme with Provable Identity Date: Reporter :Chien-Wen Huang 出處: 2008 Second International Conference on Future.
Copyright (c) 2012 NTT Secure Platform Labs. Group to Group Commitments Do Not Shrink Masayuki ABE Kristiyan Haralambiev Miyako Ohkubo 1.
Identity based signature schemes by using pairings Parshuram Budhathoki Department of Mathematical Science FAU 02/21/2013 Cyber Security Seminar, FAU.
Prepared by Dr. Lamiaa Elshenawy
A new provably secure certificateless short signature scheme Authors: K.Y. Choi, J.H. Park, D.H. Lee Source: Comput. Math. Appl. (IF:1.472) Vol. 61, 2011,
 Requirement  Security  Classification  RSA Signature  ElGamal Signature  DSS  Other Signature Schemes  Applied Digital Signatures 11.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
Pairing-Based Non-interactive Zero-Knowledge Proofs Jens Groth University College London Based on joint work with Amit Sahai.
COM 5336 Lecture 8 Digital Signatures
ICICS2002, Singapore 1 A Group Signature Scheme Committing the Group Toru Nakanishi, Masayuki Tao, and Yuji Sugiyama Dept. of Communication Network Engineering.
1 4.1 Hash Functions and Data Integrity A cryptographic hash function can provide assurance of data integrity. ex: Bob can verify if y = h K (x) h is a.
Impossibility proofs for RSA signatures in the standard model Pascal Paillier Topics in Cryptology – CT-RSA 2007.
Cryptography and Network Security Chapter 13
On the Size of Pairing-based Non-interactive Arguments
Digital signatures.
Cryptography Lecture 26.
Short Pairing-based Non-interactive Zero-Knowledge Arguments
Cryptography Lecture 10.
Cryptography Lecture 22.
Cryptography Lecture 25.
Cryptography Lecture 26.
Jens Groth and Mary Maller University College London
Presentation transcript:

Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups Masayuki Abe, NTT Jens Groth, University College London Kristiyan Haralambiev, NYU Miyako Ohkubo, NICT

Mathematical structures in cryptography Cyclic prime order group G Useful mathematical structure –ElGamal encryption –Pedersen commitments –Schnorr proofs –…

Pairing-based cryptography Groups G, H, T with bilinear map e: G  H  T Additional mathematical structure –Identity-based encryption –Short digital signatures –Non-interactive zero-knowledge proofs –…

Bilinear group Gen(1 k ) returns (p, G, H, T,G,H,e) –Groups G, H, T of prime order p –G =  G , H =  H  –Bilinear map e: G  H  T e(G a,H b ) = e(G,H) ab T =  e(G,H)  –Can efficiently compute group operations, evaluate bilinear map and decide membership Asymmetric group No efficiently computable homomorphisms between G and H

Structure-preserving signatures with generic signer The public verification key, the messages and the signatures consist of group elements in G and H The verifier evaluates pairing product equations –Accept signature if e(M,V 1 )e(S 1,V 2 ) = 1 e(S 2,V 2 )e(M,V 2 ) = e(G,V 3 ) The signer only uses generic group operations –Signature of the form (S 1,S 2,…) where S 1 = M  G , S 2 = …

Structure-preserving signatures Composes well with other pairing-based schemes –Easy to encrypt structure-preserving signatures –Easy use with non-interactive zero-knowledge proofs –…–… Applications –Group signatures –Blind signatures –Delegatable credentials –…–…

Results Lower bound –A structure-preserving signature consists of at least 3 group elements Construction –A structure-preserving signature scheme matching the lower bound

Lower bound Theorem –A structure-preserving signature made by a generic signer consists of at least 3 group elements Proof uses the structure-preservation and the fact that the signer only does generic group operations –Not information-theoretic bound Shorter non-structure-preserving signatures exist –Uses generic group model on signer instead of adversary

Proof overview Without loss of generality lower bound for M  G Theorems –Impossible to have unilateral structure-preserving signatures (all elements in G or all elements in H ) –Impossible to have a single verification equation (for example e(S 2,V 2 )e(M,V 2 ) = 1) –Impossible to have signatures of the form (S,T)  G  H

Unilateral signatures are impossible A similar argument shows there are no unilateral signatures (S 1,S 2,…,S k )  G k

Unilateral signatures are impossible Case II –There is no single element signature T  H for M  G Proof –A generic signer wlog computes T = H t where t is chosen independently of M –Since T is independent of M either the signature scheme is not correct or the signature is valid for any choice of M and therefore easily forgeable A similar argument shows there are no unilateral signatures (T 1,T 2,…,T k )  H k

A single verification equation is impossible

No signature with 2 group elements Theorem –There are no 2 group element structure-preserving signatures for M  G Proof strategy –Since signatures cannot be unilateral we just need to rule out signatures of the form (S,T)  G  H –Generic signer generates them as S = M  G  and T = H  –Proof shows the correctness of the signature scheme implies all the verification equations collapse to a single verification equation, which we know is impossible

No signature with 2 group elements

Optimal structure-preserving signatures

Optimal –Signature size is 3 group elements –Verification uses 2 pairing product equations Security –Strongly existentially unforgeable under adaptive chosen message attack –Proven secure in the generic group model

Further results One-time signatures (unilateral messages) –Unilateral, 2 group elements, single verification equation Non-interactive assumptions (q-style) –4 group elements for unilateral messages –6 group elements for bilateral messages Rerandomizable signatures –3 group elements for unilateral messages

Summary Lower bound –Structure-preserving signatures created by generic signers consist of at least 3 group elements Optimal construction –Structure-preserving signature scheme with 3 group element signatures that is sEUF-CMA in the generic group model

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.