Transitive Signatures based on Factoring and RSA Mihir Bellare (University of California, San Diego, USA) Gregory Neven (Katholieke Universiteit Leuven, Belgium)

2 Standard digital signatures M SSign ssk σ M SVf σ’ spk accept / reject SKG (spk,ssk) 1k1k

3 σ 2,3 3 σ i,j i,j Transitive signatures [MR02]  Message is pair of nodes i,j  Signing i,j = creating and authenticating edge {i,j}  An authenticated graph grows with time σ 1,2 1,2 1 2 i,j TSign tsk TVf σ’ i,j tpk TKG (tpk,tsk) 1k1k accept / reject σ 2,3 2,3 σ 4,5 45 4,5

4 Transitive signatures [MR02] Comp i,j,k σ i,j σ i,k tpk σ j,k  Additional composition algorithm 1 2 σ 1,2 3 σ 2,3 45 σ 4,5  Authenticated graph is transitive closure of directly signed edges 1,2,3 σ 1,2 σ 2,3 σ 1,3 i,j TSign tsk σ i,j i,j TVf σ’ i,j tpk accept / reject TKG (tpk,tsk) 1k1k

5 Security of transitive signatures  Standard security definition of [GMR] doesn’t apply: composition allows forgery to some extent  New security goal [MR02]:  computationally infeasible to forge signatures not in transitive closure of the edges signed directly by the signer  even under “chosen-edge” attack F tpk {1,4}, σ 1,4 σ 1,4 σ 1,3 σ 1,2 σ 2,3 σ 4, σ 1,2,σ 2,3,σ 4,5 1,2 ║ 2,3 ║ 4,5 TSign tsk (·,·) 2,3 σ 2,3 1,2 σ 1,2 4,5 σ 4,5 TSign tsk (·,·)

6 Why transitive signatures? Applications? Micali and Rivest suggest  military chain-of-command (directed)  administrative domains (undirected) Compelling application yet to be found But a cool concept!

7 σ 1,2 1,y 1 2,y 2  signature σ 1,2 = (,, δ 1,2 ) RSATS-1: RSA based scheme [MR02] tpk = (spk, N, e) tsk = ssk Assume standard signature scheme with  key pair (spk,ssk)  message M signed under ssk M Signer assigns to each node i: ← Z* R N x1x1 x2x2 x3x3  secret label x i,y 1,y 2,y 3  public label y i ← x i e mod N i,y i  node certificate 1,y 1 2,y 2 3,y 3 To sign edge {1,2}:  edge label δ 1,2 ← x 1 ·x 2 -1 mod N Verification of (,, δ 1,2 ): 1,y 1 2,y 2  check node certificates  check δ 1,2 = y 1 ·y 2 -1 mod N e

8 Composition in RSATS-1 To compose signatures σ 1,2 and σ 2,3 : σ 1,2 = (,, δ 1,2 ) where δ 1,2 = x 1 ·x 2 -1 mod N 1,y 1 σ 2,3 = (,, δ 2,3 ) where δ 2,3 = x 2 ·x 3 -1 mod N 2,y 2 3,y 3 δ 1,2 ·δ 2,3 mod N = (x 1 ·x 2 -1 )(x 2 ·x 3 -1 ) mod N = x 1 ·x 3 -1 mod N 2,y 2 1,y 1 3,y 3 x i are kept in signer’s state  σ 1,3 = (,, δ 1,3 ) where δ 1,3 = σ 1, x1x1 x2x2 x3x3,y 1,y 2,y 3 1,y 1 3,y 3 σ 1,2 σ 2,3 2,y 2

9 Non-adaptive security of RSATS-1 RSATS-1 can be proven transitively secure against forgery under non-adaptive chosen-edge attack if  RSA is one-way  underlying standard signature scheme is secure under chosen- message attack Is RSATS-1 secure under adaptive attack?  Neither proof nor attack known  Might rely on stronger properties of RSA than one-wayness  We consider security under one-more inversion [BNPS01]

10 RSA under one-more inversion A A is successful iff  x i e = y i mod N for i=1..m  n < m x 1,…,x m N,e y1y1 Chall R Z* N yiyi ymym … RSA -1 N,e (·) z 1 d mod N z1z1 z n d mod N znzn … Assumption: this problem is hard [BNPS01] Used before  by [BNPS01] to prove security of Chaum’s blind signatures  by [BP02] to prove security of GQ identification scheme

11 Adaptive security of RSATS-1 Theorem: RSATS-1 is transitively secure against forgery under adaptive chosen-message attack if  the one-more RSA-inversion problem is hard  the underlying standard signature scheme is secure under chosen-message attack.

12 {1,2} δ 1,2 y 1 y 2 -1 Proof idea for RSATS-1 A Chall F N,eN,e RSA -1 σ 1,2 σ 1,4 n 1 nodesn 2 nodes n 1 -1 queriesn 2 -1 queries x 2 ← δ 2,3 ·x 3 x 1 ← δ 1,2 ·x 2 If A would know x 3 : (remember δ i,j =x i ·x j -1 ) (n 1 -1)+(n 2 -1)+1 = n 1 +n 2 -1 queries < n 1 +n 2 decrypted challenges (spk,N,e) {2,3} δ 2,3 y 2 y 3 -1 σ 2,3 {1,3} σ 1,3 x 1,…,x 6 y1y1 x1x1 σ 5,6 σ 4,6 yiyi y1y1 y2y2 y3y3 y4y4 y5y5 y6y

13 σ 1,3 = (,, δ 1,3 ) with δ 1,3 = δ 1,2 ·δ 2,3 mod N1,y 1 3,y 3 σ 1,3 Composition of σ 1,2 and σ 2,3 : σ 2,3 FBTS-1: Factoring based scheme tpk = (spk, N); tsk = ssk,y 1,y 2,y 3  public label y i ← x i 2 mod N i,y i  node certificate 1,y 1 2,y 2 3,y 3 σ 1,2 Signature σ 1,2 = (,, δ 1,2 ) with δ 1,2 = x 1 ·x 2 -1 mod N 1,y 1 2,y 2 Verification of σ 1,2 :  check signatures on,  check δ 1,2 = y 1 ·y 2 -1 mod N 1,y 1 2,y 2 2 ← Z* R N x1x1 x2x2 x3x3  secret label x i Signer assigns to each node i:

14 Security of FBTS-1 Theorem: FBTS-1 is transitively secure against forgery under adaptive chosen-message attack if  factoring N is hard  the underlying standard signature scheme is secure under chosen-message attack. Proof idea:  with probability 1/2, forgery gives second square root  signatures might leak information about known root → information-theoretic lemma needed

15 Node certification paradigm For each node i, the signer: x1x1 x2x2 x3x3  chooses secret label x i σ 2,3 σ 1,3 Composition of σ 1,2 and σ 2,3 : σ 1,3 = (,, δ 1,3 ) where δ 1,3 = h(δ 1,2,δ 2,3 ) 1,y 1 3,y 3 δ i,j ·δ j,k mod N h(δ i,j,δ j,k ) σ 1,2 Signature σ 1,2 = (,, δ 1,2 ) where δ 1,2 = g(x 1,x 2 ) 1,y 1 2,y 2 x i ·x j -1 mod N g(x i,x j ),y 1,y 2,y 3  computes public label y i = f(x i ) x i 2 mod NFBTS-1 x i e mod NRSATS-1 f(x i )Scheme 1,y 1 3,y 3 2,y 2  creates node certificate i,y i 1 2 3

16 Eliminating node certificates σ 2,3 σ 1,3 Composition of σ 1,2 and σ 2,3 : σ 1,3 = δ 1,3 where δ 1,3 = g(δ 1,2, δ 2,3 ) σ 1,2 Signature σ 1,2 = δ 1,2 where δ 1,2 = f(x 1,x 2 ) Let H tpk be a public hash function RSATS-1 and FBTS-1, but not MRTS,x1,x1,x2,x2,x3,x3  secret label x i ← “inversion” of y i (using trapdoor information in tsk) y 1 =H tpk (1) y 2 =H tpk (2) y 3 =H tpk (3)  public label y i ← H tpk (i) For each node i, signer lets: 1 2 3

17 RSATS-2 and FBTS-2 RSATS-2: Straightforward application of this idea to RSATS-1 Theorem: RSATS-2 is transitively secure against forgery under adaptive chosen-message attack if  the one-more RSA-inversion problem is hard  H N : {0,1}*→Z N is a random oracle. * * FBTS-2: Modifications needed because public labels have to be squares mod N Theorem: FBTS-2 is transitively secure against forgery under adaptive chosen-message attack if  factoring N is hard  H N : {0,1}*→Z N [+1] is a random oracle.

18 Previously known schemes O(path length)YesStandard signaturesTrivial Signature sizeAd.?Security assumptionScheme 2 stand. sigs 2 points in G 2 points in Z q YesDiscrete logarithms Standard signatures MRTS 2 stand. sigs 3 points in NoOne-wayness of RSA Standard signatures RSATS-1 Z* N

19 Scheme contributions 2 stand. sigs 3 points in NoOne-wayness of RSA Standard sigs RSATS-1 2 stand. sigs 2 points in G 2 points in Z q YesDiscrete logarithms Standard signatures MRTS O(path length)YesStandard signaturesTrivial Signature sizeAd.?Security assumptionScheme Z* N 2 stand sigs 3 points in YesOne-more RSA Standard signatures RSATS-1 Z* N 2 stand sigs 3 points in YesFactoring Standard signatures FBTS-1 Z* N No RO? No 1 point inYes One-more RSARSATS-2 Z* N 1 point inYes FactoringFBTS-2Z* N

Questions?