Presentation is loading. Please wait.

Presentation is loading. Please wait.

Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups Masayuki Abe, NTT Jens Groth, University College London Kristiyan Haralambiev, NYU.

Published byNicholas McLaughlin Modified over 9 years ago

Similar presentations

Presentation on theme: "Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups Masayuki Abe, NTT Jens Groth, University College London Kristiyan Haralambiev, NYU."— Presentation transcript:

1 Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups Masayuki Abe, NTT Jens Groth, University College London Kristiyan Haralambiev, NYU Miyako Ohkubo, NICT

2 Mathematical structures in cryptography Cyclic prime order group G Useful mathematical structure –ElGamal encryption –Pedersen commitments –Schnorr proofs –…

3 Pairing-based cryptography Groups G, H, T with bilinear map e: G  H  T Additional mathematical structure –Identity-based encryption –Short digital signatures –Non-interactive zero-knowledge proofs –…

4 Bilinear group Gen(1 k ) returns (p, G, H, T,G,H,e) –Groups G, H, T of prime order p –G =  G , H =  H  –Bilinear map e: G  H  T e(G a,H b ) = e(G,H) ab T =  e(G,H)  –Can efficiently compute group operations, evaluate bilinear map and decide membership Asymmetric group No efficiently computable homomorphisms between G and H

5 Structure-preserving signatures with generic signer The public verification key, the messages and the signatures consist of group elements in G and H The verifier evaluates pairing product equations –Accept signature if e(M,V 1 )e(S 1,V 2 ) = 1 e(S 2,V 2 )e(M,V 2 ) = e(G,V 3 ) The signer only uses generic group operations –Signature of the form (S 1,S 2,…) where S 1 = M  G , S 2 = …

6 Structure-preserving signatures Composes well with other pairing-based schemes –Easy to encrypt structure-preserving signatures –Easy use with non-interactive zero-knowledge proofs –…–… Applications –Group signatures –Blind signatures –Delegatable credentials –…–…

7 Results Lower bound –A structure-preserving signature consists of at least 3 group elements Construction –A structure-preserving signature scheme matching the lower bound

8 Lower bound Theorem –A structure-preserving signature made by a generic signer consists of at least 3 group elements Proof uses the structure-preservation and the fact that the signer only does generic group operations –Not information-theoretic bound Shorter non-structure-preserving signatures exist –Uses generic group model on signer instead of adversary

9 Proof overview Without loss of generality lower bound for M  G Theorems –Impossible to have unilateral structure-preserving signatures (all elements in G or all elements in H ) –Impossible to have a single verification equation (for example e(S 2,V 2 )e(M,V 2 ) = 1) –Impossible to have signatures of the form (S,T)  G  H

10 Unilateral signatures are impossible A similar argument shows there are no unilateral signatures (S 1,S 2,…,S k )  G k

11 Unilateral signatures are impossible Case II –There is no single element signature T  H for M  G Proof –A generic signer wlog computes T = H t where t is chosen independently of M –Since T is independent of M either the signature scheme is not correct or the signature is valid for any choice of M and therefore easily forgeable A similar argument shows there are no unilateral signatures (T 1,T 2,…,T k )  H k

12 A single verification equation is impossible

13 No signature with 2 group elements Theorem –There are no 2 group element structure-preserving signatures for M  G Proof strategy –Since signatures cannot be unilateral we just need to rule out signatures of the form (S,T)  G  H –Generic signer generates them as S = M  G  and T = H  –Proof shows the correctness of the signature scheme implies all the verification equations collapse to a single verification equation, which we know is impossible

14 No signature with 2 group elements

15

16 Optimal structure-preserving signatures

17 Optimal –Signature size is 3 group elements –Verification uses 2 pairing product equations Security –Strongly existentially unforgeable under adaptive chosen message attack –Proven secure in the generic group model

18 Further results One-time signatures (unilateral messages) –Unilateral, 2 group elements, single verification equation Non-interactive assumptions (q-style) –4 group elements for unilateral messages –6 group elements for bilateral messages Rerandomizable signatures –3 group elements for unilateral messages

19 Summary Lower bound –Structure-preserving signatures created by generic signers consist of at least 3 group elements Optimal construction –Structure-preserving signature scheme with 3 group element signatures that is sEUF-CMA in the generic group model

Download ppt "Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups Masayuki Abe, NTT Jens Groth, University College London Kristiyan Haralambiev, NYU."

Similar presentations

Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.

Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Multi-Party Contract Signing Sam Hasinoff April 9, 2001.

Multi-Party Contract Signing Sam Hasinoff April 9, 2001.
Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.

Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.
BY JYH-HAW YEH COMPUTER SCIENCE DEPT. BOISE STATE UNIVERSITY Proxy Credential Forgery Attack to Two Proxy Signcryption Schemes.

BY JYH-HAW YEH COMPUTER SCIENCE DEPT. BOISE STATE UNIVERSITY Proxy Credential Forgery Attack to Two Proxy Signcryption Schemes.
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Cryptography and Network Security

Cryptography and Network Security
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.
Ring Signatures of Sub- linear Size without Random Oracles Nishanth Chandran Jens Groth Amit Sahai University of California Los Angeles TexPoint fonts.

Ring Signatures of Sub- linear Size without Random Oracles Nishanth Chandran Jens Groth Amit Sahai University of California Los Angeles TexPoint fonts.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110 100100101010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100101

Cryptography in Subgroups of Z n * Jens Groth UCLA.

Cryptography in Subgroups of Z n * Jens Groth UCLA.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
Sub-linear Size Pairing-Based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint.

Sub-linear Size Pairing-Based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Lecturer: Moni Naor Foundations of Cryptography Lecture 9: Pseudo-Random Functions and Permutations.

Lecturer: Moni Naor Foundations of Cryptography Lecture 9: Pseudo-Random Functions and Permutations.
Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London.

Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London.

Similar presentations

Ads by Google