Download presentation
Presentation is loading. Please wait.
1
The Generic Transformation from Standard Signatures to Identity-Based Aggregate Signatures Bei Liang, Hongda Li, Jinyong Chang
2
Identity-Based Aggregate Signatures
3
PK MSK
4
Identity-Based Aggregate Signatures Bob id 1 Alice id 2 id 3 Eve PK MSK
5
Identity-Based Aggregate Signatures Bob id 1 SK 1 Alice id 2 SK 2 id 3 SK 3 Eve PK MSK
6
Identity-Based Aggregate Signatures Bob id 1 SK 1 Alice id 2 SK 2 id 3 SK 3 Sign m 1 Sign m 1 S1S1S1S1 Sign m 2 Sign m 2 S2S2S2S2 S3S3S3S3 Sign m 3 Sign m 3 Eve PK MSK
7
Identity-Based Aggregate Signatures Bob id 1 SK 1 Alice id 2 SK 2 id 3 SK 3 Sign m 1 Sign m 1 S1S1S1S1 Sign m 2 Sign m 2 S2S2S2S2 S3S3S3S3 Sign m 3 Sign m 3 Eve PK MSK m 1, m 2, m 3 Prove that Bob, Alice and Eve indeed sign the message m 1, m 2, m 3 respectively S2S2S2S2 S1S1S1S1 S3S3S3S3
8
Identity-Based Aggregate Signatures Bob id 1 SK 1 Alice id 2 SK 2 id 3 SK 3 Sign m 1 Sign m 1 S1S1S1S1 Sign m 2 Sign m 2 S2S2S2S2 S3S3S3S3 Sign m 3 Sign m 3 Eve PK MSK Identity-Based Aggregate Signatures. Gentry and Ramzan. PKC 2006 Identity-Based Aggregate Signatures. Gentry and Ramzan. PKC 2006
9
Identity-Based Aggregate Signatures Bob id 1 SK 1 Alice id 2 SK 2 id 3 SK 3 Sign m 1 Sign m 1 S1S1S1S1 Sign m 2 Sign m 2 S2S2S2S2 S3S3S3S3 Sign m 3 Sign m 3 Eve PK MSK SASASASA Aggregator
10
Identity-Based Aggregate Signatures Bob id 1 SK 1 Alice id 2 SK 2 id 3 SK 3 Sign m 1 Sign m 1 S1S1S1S1 Sign m 2 Sign m 2 S2S2S2S2 S3S3S3S3 Sign m 3 Sign m 3 Eve PK MSK SASASASA Aggregator
11
Identity-Based Aggregate Signatures IBAS [GR06] PKC 06 IBAS [GR06] PKC 06 Sequential IBAS. [BGN+06] CCS 07 IBAS (with same common token) [BJ10] PKC 10 Unrestricted IBAS. [HSW13] CRYPTO 13
![Identity-Based Aggregate Signatures IBAS [GR06] PKC 06 IBAS [GR06] PKC 06 Sequential IBAS.](http://images.slideplayer.com/24/7569636/slides/slide_11.jpg "[BGN+06] CCS 07 IBAS (with same common token) [BJ10] PKC 10 Unrestricted IBAS. [HSW13] CRYPTO 13.")
12
Identity-Based Aggregate Signatures IBAS are restricted to: share a common token e.g., where a set of signatures can only be aggregated if they were created with the same common token require sequential additions e.g., where a group of signers sequentially form an aggregate by each adding their own signature to the aggregate-so-far IBAS are restricted to: share a common token e.g., where a set of signatures can only be aggregated if they were created with the same common token require sequential additions e.g., where a group of signers sequentially form an aggregate by each adding their own signature to the aggregate-so-far
13
Identity-Based Aggregate Signatures How to achieve identity-based aggregate signatures from standard signatures?
14
Overview of our Approach Standard signature scheme Identity-based signature Identity-based aggregate signature Universal samplers [HJK+14] Indistinguishability obfuscation [HKW14]
![Overview of our Approach Standard signature scheme Identity-based signature Identity-based aggregate signature Universal samplers [HJK+14] Indistinguishability obfuscation [HKW14]](http://images.slideplayer.com/24/7569636/slides/slide_14.jpg "Overview of our Approach Standard signature scheme Identity-based signature Identity-based aggregate signature Universal samplers [HJK+14] Indistinguishability obfuscation [HKW14]")
15
Our Construction Standard signature scheme Identity-based aggregate signature* UP + iO + OWFs *: n-bounded IBAS, e.g. at most n signature can be aggregated.
16
Our Construction Standard signature scheme Identity-based aggregate signature* UP + iO + OWFs selective *: n-bounded IBAS, e.g. at most n signature can be aggregated.
17
Our Construction Standard signature scheme Identity-based aggregate signature* UP + iO + OWFs selective wCCA PKE Homomorphic encryption (puncturable) PRFs Ingredients *: n-bounded IBAS, e.g. at most n signature can be aggregated.
18
Our Construction IBAS.Setup 1. HE.Setup (pk HE, sk HE ), HE.Enc(pk HE,0) ct i ; 2. PKE.Setup (pk, sk), PRF key K, universal parameter U ; 3. Creat program P 0, iO(P 1 ), iO(P 2 ) ; 4. Output public parameters PP=(pk HE, U, P 0, iO(P 1 ), iO(P 2 )), master secret key msk=sk ; P 0 1. SIG.Setup(r 0 ) (vk SIG, sk SIG ), PKE.Enc(pk, sk SIG ; r 1 ) c ; 2. Output (vk SIG, c); r=r 0 ||r 1 Hardwire: pk
19
Our Construction P 0 1. SIG.Setup(r 0 ) (vk SIG, sk SIG ), PKE.Enc(pk, sk SIG ; r 1 ) c ; 2. Output (vk SIG, c); r=r 0 ||r 1 IBAS.KeyGen(sk,id) 1. InduceGen(U, P 0 ||id) (vk id, c id ); 2. Return PKE.Dec(sk, c id ) sk id ; Hardwire: pk
20
Our Construction P 0 1. SIG.Setup(r 0 ) (vk SIG, sk SIG ), PKE.Enc(pk, sk SIG ; r 1 ) c ; 2. Output (vk SIG, c); r=r 0 ||r 1 IBAS.Sign(sk id,m) 1. SIG.Sign(sk id, m) σ ; 2. Return σ; IBAS.KeyGen(sk,id) 1. InduceGen(U, P 0 ||id) (vk id, c id ); 2. Return PKE.Dec(sk, c id ) sk id ; Hardwire: pk
21
Our Construction IBAS.Aggregate(PP,{(id i,m i ), σ i } i ) 1. InduceGen(U, P 0 ||id i ) (vk i, c i ) ; 2. Return iO(P 1 )({vk i,(id i,m i ),σ i } i ) ; {vk i, (id i,m i ), σ i } i P 1 1. Compute t= σ 1 ·ct 1 + · · ·+ σ n ·ct n ; 2. Compute s i =F(K, vk i ||id i ||m i ||i||t) ; 3. Output σ agg =(t, ⊕ i s i ); Hardwire: K, ct 1,…,ct n
22
Our Construction IBAS.Verify(PP,{(id i,m i )} i, σ agg =(t,s)) 1. InduceGen(U, P 0 ||id i ) (vk i, c i ) ; 2. Return iO(P 2 )({vk i,(id i,m i )} i, σ agg ); {vk i, (id i,m i )} i, σ agg =(t,s) P 2 1. Compute s’=⊕ i F(K, vk i ||id i ||m i ||i||t) ; 2. Output 1 if s’= s, else output 0 ; Hardwire: K
23
Security Proof idea (id*, m*) (pk HE, sk HE ), (pk, sk), U, K, ct 1 =HE.Enc(0), … ct n =HE.Enc(0), P 0, iO(P 1 ), iO(P 2 ) P=(U, P 0, iO(P 1 ), iO(P 2 )) id sk id id, m σ (id 1, m 1 ),…, (id*,m*),…,(id n, m n ) σ* agg Attacker wins if: id*, m* not queried Verify({ (id 1, m 1 )} i, σ* agg )=1 Game-0
24
Security Proof idea (id i*, m i* ) (pk HE, sk HE ), (pk, sk), U, K, ct 1 =HE.Enc(0), … ct n =HE.Enc(0), P 0, iO(P 1 ), iO(P 2 ) P=(U, P 0, iO(P 1 ), iO(P 2 )) id sk id id, m σ (id 1, m 1 ),…, (id i*, m i* ),…,(id n, m n ) σ* agg Attacker wins if: id*, m* not queried Verify({ (id 1, m 1 )} i, σ* agg )=1 Game-1
25
Security Proof idea (id i*, m i* ) (pk HE, sk HE ), (pk, sk), U, K, ct 1 =HE.Enc(0),… ct i* =HE.Enc(1),… ct n =HE.Enc(0), P 0, iO(P 1 ), iO(P 2 ) P=(U, P 0, iO(P 1 ), iO(P 2 )) id sk id id, m σ (id 1, m 1 ),…, (id i*, m i* ),…,(id n, m n ) σ* agg Attacker wins if: id*, m* not queried Verify({ (id 1, m 1 )} i, σ* agg )=1 Game-2
26
Security Proof idea (id i*, m i* ) (pk HE, sk HE ), (pk, sk), K, U=SimUGen(vk i*, c i* ) ct 1 =HE.Enc(0),… ct i* =HE.Enc(1),… ct n =HE.Enc(0), P 0, iO(P 1 ), iO(P 2 ) P=(U, P 0, iO(P 1 ), iO(P 2 )) id sk id id, m σ (id 1, m 1 ),…, (id i*, m i* ),…,(id n, m n ) σ* agg Attacker wins if: id*, m* not queried Verify({ (id 1, m 1 )} i, σ* agg )=1 Game-3 (vk i*, sk i* ) SIG.Setup, c i* PKE.Enc(sk i* )
27
Security Proof idea (id i*, m i* ) (pk HE, sk HE ), (pk, sk), K, U=SimUGen(vk i*, c i* ) ct 1 =HE.Enc(0),… ct i* =HE.Enc(1),… ct n =HE.Enc(0), P 0, iO(P 1 ), iO(P 2 ) P=(U, P 0, iO(P 1 ), iO(P 2 )) id sk id id, m σ (id 1, m 1 ),…, (id i*, m i* ),…,(id n, m n ) σ* agg Attacker wins if: id*, m* not queried Verify({ (id 1, m 1 )} i, σ* agg )=1 Game-4 vk i*, c i* PKE.Enc(1)
28
Security Proof idea (id i*, m i* ) (pk HE, sk HE ), (pk, sk), K, U=SimUGen(vk i*, c i* ) ct 1 =HE.Enc(0),… ct i* =HE.Enc(1),… ct n =HE.Enc(0), P 0, iO(P* 1 ), iO(P* 2 ) P=(U, P 0, iO(P* 1 ), iO(P* 2 )) id sk id id, m σ (id 1, m 1 ),…, (id i*, m i* ),…,(id n, m n ) σ* agg Attacker wins if: id*, m* not queried Verify({ (id 1, m 1 )} i, σ* agg )=1 Game-5 vk i*, c i* PKE.Enc(1) (m i*, HE.Dec(sk HE,t*)) Unforgeability of signature scheme
29
THANK YOU!
Similar presentations
