1 Sequential Aggregate Signatures and Multisignatures Without Random Oracles Steve Lu, Rafail Ostrovsky, Amit Sahai, Hovav Shacham, and Brent Waters.

Slides:



Advertisements
Similar presentations
A Crash Course in Modern Crypto Tools Dan Boneh Stanford University.
Advertisements

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
Digital Signatures and Hash Functions. Digital Signatures.
Lecture 10 Signature Schemes Stefan Dziembowski MIM UW ver 1.0.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.
Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.
1 An Efficient Strong Key-Insulated Signature Scheme and Its Application 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake.
Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Public Key Management Brent Waters. Page 2 Last Time  Saw multiple one-way function candidates for sigs. OWP (AES) Discrete Log Trapdoor Permutation.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
1 Intro To Encryption Exercise Analyze the following scenario: Sender:  Cipher1= Encrypt message with symmetric key algorithm  RSA_Encrypt (SHA1(message)
Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Lecture 12 Security. Summary  PEM  secure  PGP  S/MIME.
Cryptography and Network Security Chapter 15 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Privacy in Encrypted Content Distribution Using Private Broadcast Encryption Adam Barth Dan Boneh Brent Waters.
8. Data Integrity Techniques
Realizing Hash and Sign Signatures under Standard Assumptions Realizing Hash and Sign Signatures under Standard Assumptions Susan Hohenberger Johns Hopkins.
Digital Signatures Applied Handbook of Cryptography: Chapt 11
11 Digital Signature.  Efficiency  Unforgeability : only signer can generate  Not reusable : not to use for other message  Unalterable : No modification.
Chapter 5 Digital Signatures MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI 1.
Bob can sign a message using a digital signature generation algorithm
Rennes, 15/10/2014 Cristina Onete Message authenticity: Digital Signatures.
1 Lect. 15 : Digital Signatures RSA, ElGamal, DSA, KCDSA, Schnorr.
CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)
Lecture 3.2: Public Key Cryptography II CS 436/636/736 Spring 2014 Nitesh Saxena.
Secure r How do you do it? m Need to worry about sniffing, modifying, end- user masquerading, replaying. m If sender and receiver have shared secret.
Basel Alomair, Krishna Sampigethaya, and Radha Poovendran University of Washington TexPoint fonts used in EMF.
Efficient Sequential Aggregate Signed Data Gregory Neven IBM Zurich Research Laboratory work done while at K.U.Leuven.
02/22/2005 Joint Seminer Satoshi Koga Information Technology & Security Lab. Kyushu Univ. A Distributed Online Certificate Status Protocol with Low Communication.
Topic 22: Digital Schemes (2)
Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.
Efficient BGP Security Meiyuan Zhao, Sean Smith Dartmouth College David Nicol University of Illinois, Urbana-Champaign.
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.
Cryptography Lecture 9 Stefan Dziembowski
Cryptography and Network Security (CS435) Part Twelve (Electronic Mail Security)
Secure Origin BGP: What is (and isn't) in a name? Dan Wendlandt Princeton Routing Security Reading Group.
Security PGP IT352 | Network Security |Najwa AlGhamdi 1.
Signatures, etc. Network Security Gene Itkis Signature scheme: Formal definition GenKey Generation: Gen(1 k )   PK, SK  SignSigning: Sign(SK, M) 
On the (Im)possibility of Blind Message Authentication Codes Gregory Neven (Katholieke Universiteit Leuven, Belgium) Joint work with: Michel Abdalla (Ecole.
Identity based signature schemes by using pairings Parshuram Budhathoki Department of Mathematical Science FAU 02/21/2013 Cyber Security Seminar, FAU.
Prepared by Dr. Lamiaa Elshenawy
Transitive Signatures based on Factoring and RSA Mihir Bellare (University of California, San Diego, USA) Gregory Neven (Katholieke Universiteit Leuven,
1 Efficient Ring Signatures Without Random Oracles Hovav Shacham and Brent Waters.
Based on work with: Sergey Gorbunov and Vinod Vaikuntanathan Homomorphic Commitments & Signatures Daniel Wichs Northeastern University.
 Requirement  Security  Classification  RSA Signature  ElGamal Signature  DSS  Other Signature Schemes  Applied Digital Signatures 11.
1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.
1 An Ordered Multi-Proxy Multi-Signature Scheme Authors: Min-Shiang Hwang, Shiang-Feng Tzeng, Shu-Fen Chiou Speaker: Shu-Fen Chiou.
1 Compact Group Signatures Without Random Oracles Xavier Boyen and Brent Waters.
Security  is one of the most widely used and regarded network services  currently message contents are not secure may be inspected either.
COM 5336 Lecture 8 Digital Signatures
By Marwan Al-Namari & Hafezah Ben Othman Author: William Stallings College of Computer Science at Al-Qunfudah Umm Al-Qura University, KSA, Makkah 1.
| TU Darmstadt | Andreas Hülsing | 1 W-OTS + – Shorter Signatures for Hash-Based Signature Schemes Andreas Hülsing.
Security Depart. of Computer Science and Engineering 刘胜利 ( Liu Shengli) Tel:
Cryptography Lecture 26.
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
CS 394B Introduction Marco Canini.
Secure How do you do it? Need to worry about sniffing, modifying, end-user masquerading, replaying. If sender and receiver have shared secret keys,
Cryptography Lecture 22.
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Cryptography Lecture 25.
Cryptography Lecture 26.
Presentation transcript:

1 Sequential Aggregate Signatures and Multisignatures Without Random Oracles Steve Lu, Rafail Ostrovsky, Amit Sahai, Hovav Shacham, and Brent Waters

2 Secure BGP  BGP “Speakers” send path updates messages  S-BGP sequence of messages + sigs.  4096 byte size limit (M1,  1 ) (M1,  1 ), (M2,  2 ) (M1,  1 ), (M2,  2 ), (M3,  3 )

3 Aggregate Sigs [BGLS03] SignAggregate

4 Aggregate Signatures [BGLS03]  A single short aggregate provides nonrepudiation for many different messages under many different keys  More general than multisignatures  Applications:  X.509 certificate chains  Secure BGP route attestations  PGP web of trust Verisign Versign Europe NatWest NatWest WWW

5 BGLS Aggregate Sigs BLS Sigs: PK = g a SK=a Sign(SK,M):  =H(M) a Verify(PK,M,  ): e( ,g)=e( H(M), PK) Secure in R.O. Model --- Deterministic Signatures

6 BGLS Aggregate Sigs PK i = g a i SK i =a i Sign(SK i,M i ):  i =H(M  )  i Aggregate(  1,…  n ):  *=  i=1…  i Verify(PK i,M 1,…,M n,  *): e(  *,g)=  i=1,…n e( H(M i ), PK i ) Verification requires n pairings

7 Difficulty w/o Random Oracles  Known efficient signatures have a random component Strong RSA sigs[GHR’ 99, CS’99] B-Map [BB’04,CL’04.W’05] Tree- sigs  Difficult to aggregate Independent signatures => Independent randomness

8 Sequential Aggregates [LMRS’04]  Signing and Aggregation are a single operation  Inherently sequenced; not appropriate for PGP Sign and Aggregate

9 Our Approach  Build from W’05 signatures  Signer uses same randomess from previous sig  Then re-randomizes

10 Our Aggregate Sigs W’05 Sigs: PK = e(g,g) a,h, u 1,…,u m SK=a Sign(SK,M):  =(  ’,  ’’)=g a (h  i=1,…m u M i ) r, g -r Verify(PK,M,  ): e(  ’,g) e(  ’’, h  i=1,…m u M i )=e(g,g) a Secure w/o R.O.s

11 Our Aggregate Sigs PK i = e(g,g) a i,h i =g y i ’, u i,1 =g y i,1 …,u m, =g y i,m SK =a i,y i ’, y i,1,…,y i,m Agg(SK i,M i,  *=  1,  2 ): x=DL(h  j=1,…m u M i,j )   =(  ’,  ’’)=g a  2 x  1,  2  Verify(PK,M 1,…M n,  *=(  ’,  ’’)): e(  ’,g) e(  ’’,  i  1…n h j  j=1,…m u M i,j )=  i=1…n e(g,g) a i Know DL PK

12 Comparisons SchemeR.O.SequentialSizeVer.Sign BGLSYESNO160 bits n+1 parings 1 exp. LMRS-2YES 1024 bits 4 mult.Ver. + 1 exp. OursNOYES320 bits 2 pairingsVer. + 1 exp. Shorter than LMRSFaster Ver. than BGLS

13 Summary and Open Problems  Sequential Aggregate Signatures w/o R.O. Use same randomness sequentially Arguably better Performance than R.O. schemes  Multi-Sigs and Verifiable Enc. Sigs  Shorter Public Parameters Certificate Chains  Full Aggregate Signatures

14 THE END

15 Sequential Aggregate Chosen- Key Model  Nontriviality:  σ * is a valid sequential aggregate  challenge key pk = pk j * for some j;  No oracle query at pk 1 *,…,pk j *;M 1 *,…,M j *. Adversary AggSign() oracle

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.