attribute based signatures for unbounded languages from
play

Attribute-Based Signatures for Unbounded Languages from Standard - PowerPoint PPT Presentation

Oct 16, 2023 •543 likes •938 views

Attribute-Based Signatures for Unbounded Languages from Standard Assumptions Yusuke Sakai (AIST, Japan) Shuichi Katsumata (AIST, Japan / U. Tokyo, Japan) Nuttapong Attrapadung (AIST, Japan) Goichiro Hanaoka (AIST, Japan) 1 Our Contribution

  1. Attribute-Based Signatures for Unbounded Languages from Standard Assumptions Yusuke Sakai (AIST, Japan) Shuichi Katsumata (AIST, Japan / U. Tokyo, Japan) Nuttapong Attrapadung (AIST, Japan) Goichiro Hanaoka (AIST, Japan) 1

  2. Our Contribution • Propose attribute-based signature scheme for Turing machines – A key-policy variant – The policy is described by a Turing machine (TM) – The attribute is an input to a TM The scheme allows policies that accept unbounded inputs! 2

  3. Agenda • Attribute-Based Signatures • Security Requirement • Certificate Approach • Idea 1: History of Computation • Idea 2: Locality of Rewriting • Overview of the Scheme • Conclusion 3

  4. Attribute-Based Signatures (ABS) P sk P sk P a b c d e q sk Pʹ 4

  5. Attribute-Based Signatures x a b c d e sk x q x=x 1 x 2 x 3 … sk P σ ß AttrSign(pp,sk P ,M,x) sk Pʹ 5

  6. Attribute-Based Signatures x x=x 1 x 2 x 3 … sk x 1/0 ß AttrVerify(pp,M,x,σ) sk P M, x, σ σ is made by someone whose policy P satisfy P(x) = 1 sk Pʹ 6

  7. Agenda • Attribute-Based Signatures • Security Requirement • Certificate Approach • Idea 1: History of Computation • Idea 2: Locality of Rewriting • Overview of the Scheme • Conclusion 7

  8. Anonymity x Cannot tell who made σ among sk x signers who satisfy P(x) = 1 sk P M, x, σ sk Pʹ 8

  9. Unforgeability x Cannot make valid σ sk x if P(x) = 0 sk P M, x, σ sk Pʹ 9

  10. Agenda • Attribute-Based Signatures • Security Requirement • Certificate Approach • Idea 1: History of Computation • Idea 2: Locality of Rewriting • Overview of the Scheme • Conclusion 10

  11. Certificate Approach (1/2) msk x Each signer receives a sk P signature on his policy sk P = θ P = Sign(msk, P) sk Pʹ = θ Pʹ = Sign(msk, Pʹ) 11

  12. Certificate Approach (2/2) msk x Prove knowledge of (P, θ): sk P (1) Verify(P, θ) = 1 (2) P(x) = 1 sk P = θ P = Sign(msk, P) M, x, σ sk Pʹ = θ Pʹ = Sign(msk, Pʹ) 12

  13. Difficulty Prove knowledge of (P, θ P ): (1) Verify(P, θ x ) = 1 (2) P(x) = 1 ? ? • How to prove the complex condition P(x) = 1 ! – Remind that P is a Turing machine • General zero-knowledge is inefficient, so we will decompose the statement 13

  14. Agenda • Attribute-Based Signatures • Security Requirement • Certificate Approach • Idea 1: History of Computation • Idea 2: Locality of Rewriting • Overview of the Scheme • Conclusion 14

  15. Idea: History of Computation • While a TM’s computation is complex, the computation proceeds sequentially • The computation defines a sequence of “snapshots” of the machine w 1 w 2 w 3 w 4 w 5 q 0 15

  16. Idea: History of Computation • While a TM’s computation is complex, the computation proceeds sequentially • The computation defines a sequence of “snapshots” of the machine w 1 w 2 w 3 w 4 w 5 wʹ 1 w 2 w 3 w 4 w 5 q 0 q 1 16

  17. Idea: History of Computation • While a TM’s computation is complex, the computation proceeds sequentially • The computation defines a sequence of “snapshots” of the machine w 1 w 2 w 3 w 4 w 5 wʹ 1 w 2 w 3 w 4 w 5 wʹ 1 wʹ 2 w 3 w 4 w 5 q 0 q 1 q 2 17

  18. Idea: History of Computation • While a TM’s computation is complex, the computation proceeds sequentially • The computation defines a sequence of “snapshots” of the machine w 1 w 2 w 3 w 4 w 5 wʹ 1 w 2 w 3 w 4 w 5 wʹ 1 wʹ 2 w 3 w 4 w 5 q 0 … q 1 q 2 18

  19. Implement the Certificate Approach • Using the sequence of the snapshot (s 1 , …, s T ) we can rephrase the proof as follows: Prove knowledge of (s 1 , …, s T ): (1) s i → s i+1 follows the transition function • To enforce validity of transition, the KGC signs on all possible valid transition: θ[s,sʹ] ß Sign(msk, (s,sʹ)) ∀ s à sʹ: valid transition 19

  20. Signing Every Possible Transition s 0 : s 1 : s 2 : valid valid transition transition Prove knowledge of (s 0 , s 1 , θ 1 ): Verify(vk, (s 0 , s 1 ), θ 1 ) = 1 20

  21. Signing Every Possible Transition s 0 : s 1 : s 2 : valid valid transition transition Prove knowledge of (s 0 , s 1 , θ 1 ): Prove knowledge of (s 1 , s 2 , θ 2 ): Verify(vk, (s 0 , s 1 ), θ 1 ) = 1 Verify(vk, (s 1 , s 2 ), θ 2 ) = 1 21

  22. Signing Every Possible Transition s 0 : s 1 : s 2 : valid valid transition transition Prove knowledge of (s 1 , …, s T , θ 1 , …, θ T ): (1) Verify((s i-1 ,s i ), θ i ) = 1 22

  23. Main Difficulty Prove knowledge of (s 1 , …, s T , θ 1 , …, θ T ): (1) Verify((s i-1 ,s i ), θ i ) = 1 • Possible pairs of snapshots are infinitely many, – since snapshots have unbounded lengths • We further decompose this condition 23

  24. Agenda • Attribute-Based Signatures • Security Requirement • Certificate Approach • Idea 1: History of Computation • Idea 2: Locality of Rewriting • Overview of the Scheme • Conclusion 24

  25. Configuration • A snapshot is encoded into a single string, configuration w 1 w 2 w 3 w 4 w 5 q … w 1 w 2 q w 3 w 4 w 5 … • Consists of (1) the content of the tape interleaved with (2) the state symbol q – the position of q encodes the position of the head 25

  26. Locality of Rewriting step t: w 1 w 2 q w 3 w 4 w 5 step t+1: w 1 qʹ w 2 wʹ 3 w 4 w 5 • Each symbol in a new configuration is determined by neighbors in the old configuration • Four neighbors are sufficient for any case 26

  27. The General Cases • Each cell will be determined by the four neighbors in the old configuration Case 6 Case 5 Case 1 Case 2 Case 3 a b c d b c d e c d e q Case 4 Case 3 q Õ q Õ a b c d b c d c d e Case 2 Case 1 Case 4 Case 5 Case 6 old: d e q x e q x f q x f g a b c d e q x f g q Õ x Õ q Õ x Õ x Õ d e e f e f g new: q Õ x Õ a b c d e f g 27

  28. Enforcing Validity of Transition • To enforce validity of transition KGC signs on every valid 5-tuple: w 1 w 2 w 3 w 4 θ[w 1 , w 2 , w 3 , w 4 , u] u ß Sign(msk, (w 1 , w 2 , w 3 , w 4 , u)) • The signer proves the knowledge of signature for every symbol in the new configuration old: w 1 w 2 q w 3 w 4 w 5 new: w 1 qʹ w 2 wʹ 3 w 4 w 5 28

  29. Enforcing Validity of Transition • To enforce validity of transition KGC signs on every valid 5-tuple: w 1 w 2 w 3 w 4 θ[w 1 , w 2 , w 3 , w 4 , u] u ß Sign(msk, (w 1 , w 2 , w 3 , w 4 , u)) Prove knowledge of (w 1 , w 2 , q, w 3 , qʹ, θ 1 ): • The signer proves the knowledge of θ Verify(vk, (w 1 , w 2 , q, w 3 , qʹ), θ 1 ) = 1 for every symbol in the new configuration old: w 1 w 2 q w 3 w 4 w 5 new: w 1 qʹ w 2 wʹ 3 w 4 w 5 29

  30. Enforcing Validity of Transition • To enforce validity of transition KGC signs on every valid 5-tuple: w 1 w 2 w 3 w 4 θ[w 1 , w 2 , w 3 , w 4 , u] u ß Sign(msk, (w 1 , w 2 , w 3 , w 4 , u)) Prove knowledge of (w 2 , q, w 3 , w 4 , w 2 , θ 2 ): • The signer proves the knowledge of θ Verify(vk, (w 2 , q, w 3 , w 4 , w 2 ), θ 2 ) = 1 for every symbol in the new configuration old: w 1 w 2 q w 3 w 4 w 5 new: w 1 qʹ w 2 wʹ 3 w 4 w 5 30

  31. Enforcing Validity of Transition • To enforce validity of transition KGC signs on every valid 5-tuple: w 1 w 2 w 3 w 4 θ[w 1 , w 2 , w 3 , w 4 , u] u ß Sign(msk, (w 1 , w 2 , w 3 , w 4 , u)) Prove knowledge of (q, w 3 , w 4 , w 5 , wʹ 3 , θ 3 ): • The signer proves the knowledge of θ Verify(vk, (q, w 3 , w 4 , w 5 , wʹ 3 ), θ 3 ) = 1 for every symbol in the new configuration old: w 1 w 2 q w 3 w 4 w 5 new: w 1 qʹ w 2 wʹ 3 w 4 w 5 31

  32. Agenda • Attribute-Based Signatures • Security Requirement • Certificate Approach • Idea 1: History of Computation • Idea 2: Locality of Rewriting • Overview of the Scheme • Conclusion 32

  33. Putting All Together Verify((wʹ 5 , q 2 , w 6 , w 7 , wʹ 5 ), θ) = 1 w 1 w 2 w 3 w 4 q 1 w 5 w 6 w 7 w 8 w 9 w 10 w 1 w 2 w 3 w 4 wʹ 5 q 2 w 6 w 7 w 8 w 9 w 10 w 1 w 2 w 3 w 4 q 3 wʹ 5 wʹʹ 6 w 7 w 8 w 9 w 10 w 1 w 2 w 3 q 4 w 4 wʹʹ 5 w 6 w 7 w 8 w 9 w 10 • Proves the knowledge of signatures on the neighbors (quadratic in running time of TM) • Every symbol is hidden as a witness 33

  34. The Scheme • Setup: w 1 w 2 w 3 w 4 – crs ß CRSGen(1 k ), (vk, sk) ß SigKg(1 k ) • KeyGen: u – for every valid 5-tuple (w 1 , w 2 , w 3 , w 4 , u): • θ [w1, w2, w3, w4, u] ß SigSign(sk, (w 1 , w 2 , w 3 , w 4 , u)) • Sign: {w i,j } i,j : 2D arrangement of configurations – π i,j ß Prove(crs, (w i-1,j-2 , w i-1,j-1, , w i-1,j , w i+1,j , w i,j , θ)) • Verify: for all (i,j) verify π i,j 34

  35. Main Theorem Theorem If the non-interactive proof system is witness-indistinguishable and extractable, the signature scheme is unforgeable, the proposed scheme is anonymous and unforgeable Instantiate this with GS proofs in SXDH setting and structure-preserving signatures Theorem If SXDH assumption holds, ! the proposed scheme satisfies anonymity and unforgeability 35

  36. Efficiency Signing key Signature Verification length length time O(|Γ| 4 ) O(T 2 ) O(T 2 ) |Γ|: The size of the tape alphabet T: The running time of the TM • The scheme is reasonably efficient! 36

  37. Agenda • Attribute-Based Signatures • Security Requirement • Certificate Approach • Idea 1: History of Computation • Idea 2: Locality of Rewriting • Overview of the Scheme • Conclusion 37

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Why attribute-based signatures? The kind of authentication required in an attribute-based system

Why attribute-based signatures? The kind of authentication required in an attribute-based system

Attribute-Based Signatures Hemanta K. Maji Manoj Prabhakaran Mike Rosulek November 22, 2010 Abstract We introduce Attribute-Based Signatures (ABS) , a versatile primitive that allows a party to sign a message with fine-grained

864 views • 35 slides
Unbounded ABE via Bilinear Entropy Expansion, Revisited Jie Chen Junqing Gong Lucas Kowalczyk

Unbounded ABE via Bilinear Entropy Expansion, Revisited Jie Chen Junqing Gong Lucas Kowalczyk

Unbounded ABE via Bilinear Entropy Expansion, Revisited Jie Chen Junqing Gong Lucas Kowalczyk Hoeteck Wee ECNU ENS de Lyon Columbia University ENS & CNRS attribute-based encryption (ABE) [SW05, GPSW06] 1 attribute-based encryption

1.21k views • 81 slides
Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Motivation Research Question Results Conclusion Notes Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from Standard Signatures Siamak Shahandashti 1 Rei Safavi-Naini 2 1 SCSSE & CCISR, Uni

465 views • 46 slides
Implementing Signatures for Transactional Memory Daniel Sanchez , Luke Yen, Mark Hill, Karu

Implementing Signatures for Transactional Memory Daniel Sanchez , Luke Yen, Mark Hill, Karu

Implementing Signatures for Transactional Memory Daniel Sanchez , Luke Yen, Mark Hill, Karu Sankaralingam University of Wisconsin-Madison Executive summary Several TM systems use signatures: Represent unbounded read/write sets in bounded

894 views • 37 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-02-25 1 Outline Recap: security experiments Message space extension One-time signatures One-time signatures from one-way functions Digital

1.07k views • 48 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-03-03 1 Outline Why assumptions? Efficient one-time signatures Digital Signatures 2020-03-03 2 Recap: Lamport EUF-1-CMA secure

1.14k views • 37 slides
CSC 7101: Programming Language Structures 1 Languages and Grammars String derivation * w

CSC 7101: Programming Language Structures 1 Languages and Grammars String derivation * w

Attribute Grammars Pagan Ch. 2.1, 2.2, 2.3, 3.2 Stansifer Ch. 2.2, 2.3 Slonneger and Kurtz Ch 3.1, 3.2 1 Formal Languages Important role in the design and implementation of programming languages Alphabet: finite set of

534 views • 28 slides
Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis

Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis

Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis Hofheinz ETH Zrich Quantum computers Grovers algorithm: speed up searches (N O(N)) Bigger problem for cryptography: Shors algorithm

468 views • 15 slides
Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties Signatures Signatures with various functionality/properties Constructions come in different flavors (well sample each flavor): Signatures

1.55k views • 131 slides
Hash-based signatures Tanja Lange (with some slides by Daniel J. Bernstein) Eindhoven University

Hash-based signatures Tanja Lange (with some slides by Daniel J. Bernstein) Eindhoven University

Hash-based signatures Tanja Lange (with some slides by Daniel J. Bernstein) Eindhoven University of Technology 20 July 2020 Benefits of hash-based signatures Old idea: 1979 Lamport one-time signatures. 1979 Merkle extends to more

659 views • 40 slides
Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And Putting It All Together Lecture 12 Digital Signatures Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s,

1.72k views • 142 slides
Incorporating Off-Line Attribute Delegation into Hierarchical Group and Attribute-Based Access

Incorporating Off-Line Attribute Delegation into Hierarchical Group and Attribute-Based Access

Incorporating Off-Line Attribute Delegation into Hierarchical Group and Attribute-Based Access Control Daniel Servos Michael Bauer Western University Western University London, Ontario London, Ontario dservos5@uwo.ca bauer@uwo.ca November

511 views • 34 slides
New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques Allison Lewko Brent Waters Roots of Attribute-Based Encryption Moving beyond Public Key Encryption: CEO Manager 1 Manager 2 Bob

341 views • 19 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-03-31 1 Outline Gennaro-Halevi-Rabin signatures Chameleon hash functions Digital Signatures 2020-03-31 2 RSA

627 views • 52 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-03-31 1 Outline Gennaro-Halevi-Rabin signatures Chameleon hash functions Digital Signatures 2020-03-31 2 RSA

785 views • 29 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-05-19 1 Outline Waters signatures Overview over course topics General remarks Digital Signatures 2020-05-19 2 Recap:

250 views • 20 slides
Beambeameffectforcollisionwith LargePiwinskiangleschemeand

Beambeameffectforcollisionwith LargePiwinskiangleschemeand

Beambeameffectforcollisionwith LargePiwinskiangleschemeand highfrequencycrabcavityinLHC K.Ohmi,KEK CAREHHH,LHCbeambeamandbeambeam compensation

695 views • 26 slides
Mark Goodale Chief Execu3ve Officer Reliance Mutual Agenda

Mark Goodale Chief Execu3ve Officer Reliance Mutual Agenda

Mark Goodale Chief Execu3ve Officer Reliance Mutual Agenda History Reason for Scheme Purpose of the Scheme Process followed Determining the basis for

388 views • 14 slides
YANG Data Model for Confjguration Scheduling draft-liu-netmod-yang-schedule-00 Github:

YANG Data Model for Confjguration Scheduling draft-liu-netmod-yang-schedule-00 Github:

draft-liu-netmod-yang-schedule-00 YANG Data Model for Confjguration Scheduling draft-liu-netmod-yang-schedule-00 Github: https://github.com/ietf-mpls-yang/te/blob/master/ietf-schedule.yang Xufeng Liu (Ericsson) Vishnu Pavan Beeram (Juniper

119 views • 8 slides
11 November 2011 1 The importance of price signals Does current regime provide the right

11 November 2011 1 The importance of price signals Does current regime provide the right

Network Rail views on Schedule 4 11 November 2011 1 The importance of price signals Does current regime provide the right signals? Reflects both revenue loss and costs Signals rather than precise values Exact pre-estimates of

466 views • 7 slides
Impact of Child Maintenance Reforms Child Maintenance Policy April 2016 Child Maintenance

Impact of Child Maintenance Reforms Child Maintenance Policy April 2016 Child Maintenance

30 Month Review - Impact of Child Maintenance Reforms Child Maintenance Policy April 2016 Child Maintenance Service Aims To understand external perceptions of the effects/impacts of the introduction of charging To focus our minds on

210 views • 5 slides
LINAC Collaboration: Initiating Yong Liu KEK/J-PARC Mar. 19, 2019 Fermilab Outlines J-PARC

LINAC Collaboration: Initiating Yong Liu KEK/J-PARC Mar. 19, 2019 Fermilab Outlines J-PARC

KEK j-PARC ! LINAC Collaboration: Initiating Yong Liu KEK/J-PARC Mar. 19, 2019 Fermilab Outlines J-PARC & Roadmap of LINAC Intensity Upgrade

520 views • 28 slides
Existence and combinatorial model for KirillovReshetikhin crystals Anne Schilling Department

Existence and combinatorial model for KirillovReshetikhin crystals Anne Schilling Department

Existence and combinatorial model for KirillovReshetikhin crystals Anne Schilling Department of Mathematics University of California at Davis Aarhus June 28, 2007 p. 1/ ? References This talk is based on the following papers: A.

914 views • 48 slides
A uniform model for Kirillov-Reshetikhin crystals Cristian Lenart 1 Satoshi Naito 2 Daisuke Sagaki

A uniform model for Kirillov-Reshetikhin crystals Cristian Lenart 1 Satoshi Naito 2 Daisuke Sagaki

A uniform model for Kirillov-Reshetikhin crystals Cristian Lenart 1 Satoshi Naito 2 Daisuke Sagaki 3 Anne Schilling 4 Mark Shimozono 5 1 State University of New York, Albany 2 Tokyo Institute of Technology 3 University of Tsukuba 4 University of

957 views • 73 slides

More recommend