Algebraic Lower Bounds for Computing on Encrypted Data Rafail Ostrovsky William E. Skeith III.
1 Sequential Aggregate Signatures and Multisignatures Without Random Oracles Steve Lu, Rafail...
-
Upload
aileen-wood -
Category
Documents
-
view
224 -
download
0
Transcript of 1 Sequential Aggregate Signatures and Multisignatures Without Random Oracles Steve Lu, Rafail...
1
Sequential Aggregate Signatures
and MultisignaturesWithout Random Oracles
Steve Lu, Rafail Ostrovsky, Amit Sahai, Hovav Shacham, and Brent Waters
2
Secure BGP
BGP “Speakers” send path updates messages
S-BGP sequence of messages + sigs.
4096 byte size limit
(M1,1)
(M1,1), (M2,2)
(M1,1), (M2,2), (M3,3)
3
Aggregate Sigs [BGLS03]
Sign Aggregate
4
Aggregate Signatures [BGLS03]
A single short aggregate provides nonrepudiation for many different messages under many different keys
More general than multisignatures
Applications:
X.509 certificate chains
Secure BGP route attestations
PGP web of trust
Verisign
Versign Europe
NatWest
NatWest WWW
5
BGLS Aggregate Sigs
BLS Sigs:
PK = ga SK=a
Sign(SK,M): =H(M)a
Verify(PK,M,): e(,g)=e( H(M), PK)
Secure in R.O. Model --- Deterministic Signatures
6
BGLS Aggregate Sigs
PKi = gai SKi=ai
Sign(SKi,Mi): i=H(M)i
Aggregate(1,…n): *=i=1… i
Verify(PKi,M1,…,Mn ,*): e(*,g)= i=1,…n e( H(Mi), PKi)
Verification requires n pairings
7
Difficulty w/o Random Oracles
Known efficient signatures have a random component•Strong RSA sigs[GHR’ 99, CS’99]•B-Map [BB’04,CL’04.W’05]•Tree- sigs
Difficult to aggregate • Independent signatures => Independent
randomness
8
Sequential Aggregates [LMRS’04]
Signing and Aggregation are a single operation
Inherently sequenced; not appropriate for PGP
Sign and Aggregate
9
Our Approach
Build from W’05 signatures
Signer uses same randomess from previous sig
Then re-randomizes
10
Our Aggregate Sigs
W’05 Sigs:
PK = e(g,g)a ,h, u1,…,um SK=a
Sign(SK,M): =(’,’’)=ga (h i=1,…m uMi)r , g-r
Verify(PK,M,): e(’,g) e( ’’, h i=1,…m uMi)=e(g,g)a
Secure w/o R.O.s
11
Our Aggregate Sigs
PKi = e(g,g)ai ,hi=gyi’, ui,1=gyi,1…,um, =gyi,m
SK =ai ,yi’, yi,1,…,yi,m
Agg(SKi,Mi,*=1,2):
x=DL(h j=1,…m uMi,j )
=(’,’’)=ga 2
x 1, 2
Verify(PK,M1,…Mn,*=(’,’’)):
e(’,g) e( ’’, i1…n hj j=1,…m uMi,j)=i=1…n e(g,g)ai
Know DL PK
12
Comparisons
Scheme R.O. Sequential
Size Ver. Sign
BGLS YES NO 160 bits
n+1 parings
1 exp.
LMRS-2 YES YES 1024 bits
4 mult. Ver. +1 exp.
Ours NO YES 320 bits
2 pairings
Ver. +1 exp.
Shorter than LMRS Faster Ver. than BGLS
13
Summary and Open Problems
Sequential Aggregate Signatures w/o R.O.•Use same randomness sequentially•Arguably better Performance than R.O.
schemes
Multi-Sigs and Verifiable Enc. Sigs
Shorter Public Parameters•Certificate Chains
Full Aggregate Signatures
14
THE END
15
Sequential Aggregate Chosen-Key Model
Nontriviality:
σ* is a valid sequential aggregate
challenge key pk = pkj* for some j;
No oracle query at pk1*,…,pk
j*;M
1*,…,M
j*.
AdversaryAggSign() oracle