Server-Aided Verification : Theory and Practice Source: ASIACRYPT 2005, LNCS 3788, pp. 605-623...
-
Upload
reynard-horton -
Category
Documents
-
view
213 -
download
0
Transcript of Server-Aided Verification : Theory and Practice Source: ASIACRYPT 2005, LNCS 3788, pp. 605-623...
Server-Aided Verification : Theory and Practice
Source: ASIACRYPT 2005, LNCS 3788, pp. 605-623
Author: Marc Girault and David Lefranc
Presenter: Chun-Yen Lee
First SAV Protocols for Pairing-Based Schemes
• Zhang, Safavi-Naini and Susilo– ZSNS signature scheme
• Boneh-Boyen signature schemes
First SAV Protocols for Pairing-Based Schemes
• Verifier checks if • f is a public function• I : public parameters including the public key• (r, sigma): signature
),()),,(,( ggermIfe
First SAV Protocols for Pairing-Based Schemes
Verifier
t
qR
gge
Zt
),(
.1
trmIfα )),,(( .2 ,α
),( .3 etgge ),( .4
• Proof• Auxiliary completeness.• Auxiliary soundness.• Computational gain.• Auxiliary non-repudiation.
Application to the ZSNS Signature Scheme
• Auxiliary completeness–
• Auxiliary non-repudiation– SAV construction allow the misbehaving prover
to send any value .– Then, during the computation of , transmit
the right value to – I is finally .
tggeeggermIfe ),(),(),()),,(,(
2
~P
2
~P
~
S~
accepted_*
Application to the ZSNS Signature Scheme
• Signer– public parameters– public key U– private key x– signature
• Verifier
),(,, ggepg
xgU
),(),( )( ggeUge mH
xmH
)(
1
Application to the ZSNS Signature Scheme
• π : ZSNS signature scheme• π* : generic protocol • : verification of the equation• : verification of the equation
),(),( )( ggeUge mH
* tgge ),(
xhxhxhik
x ggegghhhgg k 01
111
0 ),(output ,...,),different all (,...,,,
• Lemma 2.– Assuming– if communicating with• qH : hash oracle; qS: signing oracle
– I be with a probability
– q-BCAA problem (q ≥ qH + qS − 1)•
S~
accepted*
Hq )1(
1
~P
0
Application to the ZSNS Signature Scheme
xhxhxhik
x ggegghhhgg k 01
111
0 ),(output ,...,),different all (,...,,,
• S1 – A
– lH• S2– makes a hash query
– A answers wi and adds the couple (mi ,wi) in lH
},...,{}1,...,,{ 1010 qq hhhwwwHH
1
~P im )1(0 Hqi
Application to the ZSNS Signature Scheme
• S3– A SH
– makes a signing query mi
• if has been queried to the hash oracle
– there exists a unique couple (mi ,wi) in lH ;
– if ,then A fails, otherwise A answers
• if has not been queried to the hash oracle– A answers
–(mi ,hi) in lH ; hi in SH
mmi~
xiwg 1
)(\},...,{ 10 Hqi SHhhhh xihg
1
Application to the ZSNS Signature Scheme
1
~P
• S4 After making all the queries to the oracles– outputs a couple ( ).• If & ( )is such that • A sends to the value
• Otherwise, A fails and then stops
• S5 Finally , answers a value– If
– A the couple ( )
1
~P
**,m
mm ~* **,m 0S~
xhtxht gg
00 )(
S~
xht
gge 0),(accepts*
**,m
Application to the ZSNS Signature Scheme
• A end if :• 1. S3, the messages queried to the signing
oracle are all different from which occurs with a probability equal to
• 2.S4, If & ( )is such that –
• 3.S5, answers a value–
•
Application to the ZSNS Signature Scheme
m~
H
HH
q
nq
mm ~* **,m 0
HH nq 1
S~ xh
t
gget 0),(1
Hq
)1(
Conclusion
• 1.We have formalized the concept of a server-aided verification protocol.
• 2.We have analyzed in new model.• 3.We have presented a generic SAV protocol
for pairing-based schemes.