attribute based signatures maji et al 2008 users have
play

Attribute-Based Signatures [Maji et al. 2008]: Users have attributes - PowerPoint PPT Presentation

Oct 08, 2022 •184 likes •535 views

S TRONGER S ECURITY N OTIONS FOR D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES AND M ORE E FFICIENT C ONSTRUCTIONS Essam Ghadafi University College London e.ghadafi@ucl.ac.uk CT-RSA 2015 S TRONGER S ECURITY N OTIONS FOR D ECENTRALIZED

  1. S TRONGER S ECURITY N OTIONS FOR D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES AND M ORE E FFICIENT C ONSTRUCTIONS Essam Ghadafi University College London e.ghadafi@ucl.ac.uk CT-RSA 2015 S TRONGER S ECURITY N OTIONS FOR D ECENTRALIZED . . .

  2. O UTLINE B ACKGROUND 1 N EW S ECURITY M ODEL 2 O UR G ENERIC C ONSTRUCTION 3 I NSTANTIATIONS 4 E FFICIENCY C OMPARISON 5 S TRONGER S ECURITY N OTIONS FOR D ECENTRALIZED . . .

  3. A TTRIBUTE -B ASED S IGNATURES Attribute-Based Signatures [Maji et al. 2008]: Users have attributes (“Manager”, “Finance Department”, etc.). User with attributes A can sign messages w.r.t. policy P if P ( A ) = 1. Verifier only learns that the signature produced by someone with sufficient attributes to satisfy P . Sig - Finance Dept. Chairman - Manager OR Yes/No Manager AND Finance OR Supervisor AND Materials S TRONGER S ECURITY N OTIONS FOR D ECENTRALIZED . . . 1

  4. A PPLICATIONS OF A TTRIBUTE -B ASED S IGNATURES Example Applications: Attribute-Based Messaging: Recipients are assured the sender satisfies a certain policy. Leaking Secrets: • Ring Signatures [RST01] allow a signer to sign a message on behalf of an ad-hoc group. ABS allow more expressive predicates for leaking a secret ⇒ The whistle-blower satisfies some policy vs. the whistle-blower is in the ring. Many other applications: . . . S TRONGER S ECURITY N OTIONS FOR D ECENTRALIZED . . . 2

  5. S ECURITY OF A TTRIBUTE -B ASED S IGNATURES (Perfect) Privacy (Anonymity): The signature hides: 1 The identity of the signer. 2 The attributes used in the signing (i.e. how P was satisfied). Unforgeability: A signer cannot forge signatures w.r.t. signing policies her attributes do not satisfy even if she colludes with other signers. S TRONGER S ECURITY N OTIONS FOR D ECENTRALIZED . . . 3

  6. S ECURITY OF A TTRIBUTE -B ASED S IGNATURES (Perfect) Privacy (Anonymity): The signature hides: 1 The identity of the signer. 2 The attributes used in the signing (i.e. how P was satisfied). Unforgeability: A signer cannot forge signatures w.r.t. signing policies her attributes do not satisfy even if she colludes with other signers. S TRONGER S ECURITY N OTIONS FOR D ECENTRALIZED . . . 3

  7. R ELATED WORK ON A TTRIBUTE -B ASED S IGNATURES Maji et al. 2008 & 2011. Shahandashti and Safavi-Naini 2009. Li et al. 2010. Okamoto and Takashima 2011 & 2012. Gagné et al. 2012. Herranz et al. 2012. S TRONGER S ECURITY N OTIONS FOR D ECENTRALIZED . . . 4

  8. T RACEABLE A TTRIBUTE -B ASED S IGNATURES Additionally provide anonymity revocation mechanism (i.e. an opener) to enforce accountability. Traceable Attribute-Based Signatures (TABS) [Escala et al. 2011]: • A single attribute authority. • No judge to verify the opener’s decisions. Decentralized Traceable Attribute-Based Signatures (DTABS) [El Kaafarani et al. 2014]: • Multiple attribute authorities. Need not be aware of each other. • Signers and attribute authorities can join at any time. • Tracing correctness is publicly verifiable. S TRONGER S ECURITY N OTIONS FOR D ECENTRALIZED . . . 5

  9. T RACEABLE A TTRIBUTE -B ASED S IGNATURES Additionally provide anonymity revocation mechanism (i.e. an opener) to enforce accountability. Traceable Attribute-Based Signatures (TABS) [Escala et al. 2011]: • A single attribute authority. • No judge to verify the opener’s decisions. Decentralized Traceable Attribute-Based Signatures (DTABS) [El Kaafarani et al. 2014]: • Multiple attribute authorities. Need not be aware of each other. • Signers and attribute authorities can join at any time. • Tracing correctness is publicly verifiable. S TRONGER S ECURITY N OTIONS FOR D ECENTRALIZED . . . 5

  10. D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES Tracing Authority Sig Professor at UCL OR Yes/No IACR Member S TRONGER S ECURITY N OTIONS FOR D ECENTRALIZED . . . 6

  11. S ECURITY OF DTABS Besides Correctness [El Kaafarani et al. 2014]: Anonymity: Signatures hide identity of the signer and attributes used. Full Unforgeability: Signers cannot sign w.r.t. policies not satisfied by their individual attributes even if they collude. Covers non-frameability. Traceability: The tracing authority can always identify the signer and prove its decision. S TRONGER S ECURITY N OTIONS FOR D ECENTRALIZED . . . 7

  12. O UR C ONTRIBUTION 1 A new stronger security model for DTABS. 2 A new generic construction for DTABS with much more efficient traceability. 3 More efficient instantiations in the standard model in Type-3 bilinear groups. S TRONGER S ECURITY N OTIONS FOR D ECENTRALIZED . . . 8

  13. S HORTCOMINGS IN EXISTING MODELS ◮ Non-Frameability: Issue: Knowledge of the secret key for any attribute allows framing an honest user ⇒ In existing models: • All attribute authorities are trusted not to frame users. • Attribute keys must be delivered securely to users. Solution: Assign users a personal key pair ⇒ Even attribute authorities cannot frame a user without knowledge of her personal secret key. To simplify the definitions, we separate Non-frameability from Unforgeability. S TRONGER S ECURITY N OTIONS FOR D ECENTRALIZED . . . 9

  14. S HORTCOMINGS IN EXISTING MODELS ◮ Non-Frameability: Issue: Knowledge of the secret key for any attribute allows framing an honest user ⇒ In existing models: • All attribute authorities are trusted not to frame users. • Attribute keys must be delivered securely to users. Solution: Assign users a personal key pair ⇒ Even attribute authorities cannot frame a user without knowledge of her personal secret key. To simplify the definitions, we separate Non-frameability from Unforgeability. S TRONGER S ECURITY N OTIONS FOR D ECENTRALIZED . . . 9

  15. S ECURITY OF DTABS ◮ Non-Frameability: If all users, all attribute authorities and the tracing authority collude, they cannot frame an honest user. Param, tk Add User Add Authority Add Att. to User Corrupt User Corrupt Authority Reveal U. Key Reveal A. Key m, Σ, Р, uid, π Reveal Att. Key Sign Adversary wins if: 1 uid is honest, Σ is valid and π accepted by Judge . 2 ( uid , · , m , Σ , P ) was not obtained from the Sign oracle. S TRONGER S ECURITY N OTIONS FOR D ECENTRALIZED . . . 10

  16. S HORTCOMINGS IN EXISTING MODELS FOR DTABS ◮ Lack of Tracing Soundness: Similar to Group Signatures [Sakai et al. 2012], existing models do not prevent a signature being opened differently. Example Scenarios: Claiming authorship of a signature by another (honest) user. A signature opens to two different users. Example applications where this is needed: Signatures used as evidence in court. Users are rewarded for producing signatures. S TRONGER S ECURITY N OTIONS FOR D ECENTRALIZED . . . 11

  17. S ECURITY OF DTABS ◮ Tracing Soundness: A signature cannot trace to two different users. Param, tk Add User Add Authority Add Att. to User Corrupt User Corrupt Authority Reveal U. Key Reveal A. Key m, Σ, Р, uid 1 ,π 1 , uid 2 ,π 2 Reveal Att. Key Adversary wins if: 1 Σ is valid and π i is a valid proof for user uid i for all i ∈ { 1 , 2 } . 2 uid 1 � = uid 2 . S TRONGER S ECURITY N OTIONS FOR D ECENTRALIZED . . . 12

  18. O UR G ENERIC C ONSTRUCTION How our construction differs from [El Kaafarani et al. 2014]: 1 Users have a personal key pair. 2 Dispense with the pseudo-attribute technique (Prove you satisfy P or have signature w.r.t. some public verification key on the message and P ). 3 Replace the IND-wCCA Tag-based Encryption (used to encrypt the signer’s identity) with a Robust Non-Interactive Distributed/Threshold IND-wCCA Tag-Based Encryption. ⇒ We do without the expensive zero-knowledge proofs in the opening. S TRONGER S ECURITY N OTIONS FOR D ECENTRALIZED . . . 13

  19. G ENERIC C ONSTRUCTION – B UILDING B LOCKS Tools used: A NIZK proof system NIZK . A tagged signature scheme T S : a signature scheme that signs a tag and a message. An existentially unforgeable (against weak chosen-message attack) signature scheme WDS . An ST-IND-wCCA robust distributed/threshold tag-based encryption scheme DT BE . A strongly unforgeable one-time signature scheme OT S . S TRONGER S ECURITY N OTIONS FOR D ECENTRALIZED . . . 14

  20. G ENERIC C ONSTRUCTION – D ETAILS Setup: Generate ( epk , esk ) for DT BE and crs for NIZK . H : { 0 , 1 } ∗ → T DT BE & Choose CR hash functions ˆ H : { 0 , 1 } ∗ → M OT S . Set tk := esk and param := ( crs , epk , ˆ H , H ) . User Key Generation: Generate a key pair ( uvk [ uid ] , usk [ uid ]) for WDS . Attribute Authority Join: Generate a key pair ( aavk aid , assk aid ) for T S . Attribute Key Generation: To generate a key sk uid ,α for attribute α for signer uid , compute sk uid ,α ← T S . Sign ( assk aid ( α ) , uvk [ uid ] , α ) . S TRONGER S ECURITY N OTIONS FOR D ECENTRALIZED . . . 15

  21. G ENERIC C ONSTRUCTION – D ETAILS Setup: Generate ( epk , esk ) for DT BE and crs for NIZK . H : { 0 , 1 } ∗ → T DT BE & Choose CR hash functions ˆ H : { 0 , 1 } ∗ → M OT S . Set tk := esk and param := ( crs , epk , ˆ H , H ) . User Key Generation: Generate a key pair ( uvk [ uid ] , usk [ uid ]) for WDS . Attribute Authority Join: Generate a key pair ( aavk aid , assk aid ) for T S . Attribute Key Generation: To generate a key sk uid ,α for attribute α for signer uid , compute sk uid ,α ← T S . Sign ( assk aid ( α ) , uvk [ uid ] , α ) . S TRONGER S ECURITY N OTIONS FOR D ECENTRALIZED . . . 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Why attribute-based signatures? The kind of authentication required in an attribute-based system

Why attribute-based signatures? The kind of authentication required in an attribute-based system

Attribute-Based Signatures Hemanta K. Maji Manoj Prabhakaran Mike Rosulek November 22, 2010 Abstract We introduce Attribute-Based Signatures (ABS) , a versatile primitive that allows a party to sign a message with fine-grained

864 views • 35 slides
Attribute-Based Signatures [Maji et al. 2008] . Users have attributes (e.g. Departmental

Attribute-Based Signatures [Maji et al. 2008] . Users have attributes (e.g. Departmental

D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES Essam Ghadafi 1 Ali El Kaafarani 2 Dalia Khader 3 1 University of Bristol , 2 University of Bath, 3 University of Luxembourg ghadafi@cs.bris.ac.uk CT-RSA 2014 D ECENTRALIZED T RACEABLE A

619 views • 24 slides
Attribute-Based Signatures for Unbounded Languages from Standard Assumptions Yusuke Sakai (AIST,

Attribute-Based Signatures for Unbounded Languages from Standard Assumptions Yusuke Sakai (AIST,

Attribute-Based Signatures for Unbounded Languages from Standard Assumptions Yusuke Sakai (AIST, Japan) Shuichi Katsumata (AIST, Japan / U. Tokyo, Japan) Nuttapong Attrapadung (AIST, Japan) Goichiro Hanaoka (AIST, Japan) 1 Our Contribution

938 views • 38 slides
Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s users require only secretkeys users require n 2 secretkeys Privately verifiable and non-transferable Same signature

764 views • 53 slides
Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Motivation Research Question Results Conclusion Notes Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from Standard Signatures Siamak Shahandashti 1 Rei Safavi-Naini 2 1 SCSSE & CCISR, Uni

465 views • 46 slides
Texture attribute synthesis and transfer using feed-forward CNNs Thomas Irmer, Tobias Glasmachers,

Texture attribute synthesis and transfer using feed-forward CNNs Thomas Irmer, Tobias Glasmachers,

Texture attribute synthesis and transfer using feed-forward CNNs Thomas Irmer, Tobias Glasmachers, Subhransu Maji Paper-ID 175 Texture attribute synthesis and transfer using feed-forward CNNs Thomas Irmer, Tobias Glasmachers, Subhransu Maji

505 views • 15 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-02-25 1 Outline Recap: security experiments Message space extension One-time signatures One-time signatures from one-way functions Digital

1.07k views • 48 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-03-03 1 Outline Why assumptions? Efficient one-time signatures Digital Signatures 2020-03-03 2 Recap: Lamport EUF-1-CMA secure

1.14k views • 37 slides
PKI based Access Control with Attribute on n users Application Profile (AP) cwr cwr cwr cwr

PKI based Access Control with Attribute on n users Application Profile (AP) cwr cwr cwr cwr

Visibl Card issuing Unive Foreign users Card e rsity holder Metho intern Data element Stude Staff Guest Unive Unive Other ds al nts admin admin rsity rsity s admin istrati istrati users consol depen istrati on on

407 views • 21 slides
Reasoning about Fine-grained Attribute Phrases using Reference Games Jong-Chyi Su* Chenyun Wu*

Reasoning about Fine-grained Attribute Phrases using Reference Games Jong-Chyi Su* Chenyun Wu*

Reasoning about Fine-grained Attribute Phrases using Reference Games Jong-Chyi Su* Chenyun Wu* Huaizu Jiang Subhransu Maji University of Massachusetts, Amherst ICCV 2017 Expert-designed Attributes Is military plane? No Is propellor

531 views • 19 slides
Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis

Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis

Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis Hofheinz ETH Zrich Quantum computers Grovers algorithm: speed up searches (N O(N)) Bigger problem for cryptography: Shors algorithm

468 views • 15 slides
Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties Signatures Signatures with various functionality/properties Constructions come in different flavors (well sample each flavor): Signatures

1.55k views • 131 slides
Hash-based signatures Tanja Lange (with some slides by Daniel J. Bernstein) Eindhoven University

Hash-based signatures Tanja Lange (with some slides by Daniel J. Bernstein) Eindhoven University

Hash-based signatures Tanja Lange (with some slides by Daniel J. Bernstein) Eindhoven University of Technology 20 July 2020 Benefits of hash-based signatures Old idea: 1979 Lamport one-time signatures. 1979 Merkle extends to more

659 views • 40 slides
Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And Putting It All Together Lecture 12 Digital Signatures Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s,

1.72k views • 142 slides
Incorporating Off-Line Attribute Delegation into Hierarchical Group and Attribute-Based Access

Incorporating Off-Line Attribute Delegation into Hierarchical Group and Attribute-Based Access

Incorporating Off-Line Attribute Delegation into Hierarchical Group and Attribute-Based Access Control Daniel Servos Michael Bauer Western University Western University London, Ontario London, Ontario dservos5@uwo.ca bauer@uwo.ca November

511 views • 34 slides
New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques Allison Lewko Brent Waters Roots of Attribute-Based Encryption Moving beyond Public Key Encryption: CEO Manager 1 Manager 2 Bob

341 views • 19 slides
Exploring Supervised LDA Models for Assigning Attributes to Adjective-Noun Phrases Matthias

Exploring Supervised LDA Models for Assigning Attributes to Adjective-Noun Phrases Matthias

Exploring Supervised LDA Models for Assigning Attributes to Adjective-Noun Phrases Matthias Hartung Anette Frank Computational Linguistics Department Heidelberg University EMNLP 2011 Edinburgh, July 28 Attribute Selection: Definition and

426 views • 42 slides
Transferable Skills & Personal Attributes CDANZ National Symposium 3 October Christchurch

Transferable Skills & Personal Attributes CDANZ National Symposium 3 October Christchurch

Transferable Skills & Personal Attributes CDANZ National Symposium 3 October Christchurch Presented by Lee Brodie www.careerdynamic.com Today Career Dynamic practice and resource development history Quick overview of

302 views • 12 slides
The Structure of THE-Multiprogramming System Edsger W. Dijkstra presented by Ian Elliot

The Structure of THE-Multiprogramming System Edsger W. Dijkstra presented by Ian Elliot

The Structure of THE-Multiprogramming System Edsger W. Dijkstra presented by Ian Elliot THE hardware EL X8 (Electrologica X8) core memory cycle 2.5sec (400Khz) 27 bits words 32K (words?) Drum of 512K

490 views • 25 slides
Foundations II Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois

Foundations II Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois

CS 563 - Advanced Computer Security: Foundations II Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI) Administrative Learning Objectives : Explore how the security of Multics failed in practice

648 views • 31 slides
June 2018 CBMS Build Before We Get S tarted Let us know how we are doing! Your

June 2018 CBMS Build Before We Get S tarted Let us know how we are doing! Your

June 2018 CBMS Build Before We Get S tarted Let us know how we are doing! Your questions are not being ignored. Attendance tracking is not immediate. We are recording. The Build Guide and PPT are available! HCPF Projects

915 views • 78 slides
Dimensionality Reduction for Visualization Lecture 13 April 8, 2020 Outline High-dimensional

Dimensionality Reduction for Visualization Lecture 13 April 8, 2020 Outline High-dimensional

CS53000-Spring 2020 Introduction to Scientific Visualization Dimensionality Reduction for Visualization Lecture 13 April 8, 2020 Outline High-dimensional data Dimensionality reduction Manifold learning Topological data analysis 2 CS530 /

676 views • 30 slides
SCHAC and the EU-* schemas Diego R. Lopez RedIRIS The origin Several national/regional

SCHAC and the EU-* schemas Diego R. Lopez RedIRIS The origin Several national/regional

SCHAC and the EU-* schemas Diego R. Lopez RedIRIS The origin Several national/regional formalized schemas through NRENs Expressed as extensions to inetOrgPerson and eduPerson Syntax New attributes New classes beyond personal

481 views • 11 slides
Relational Design 1 / 34 Relational Design Basic design approaches. What makes a good

Relational Design 1 / 34 Relational Design Basic design approaches. What makes a good

Relational Design 1 / 34 Relational Design Basic design approaches. What makes a good design better than a bad design? How do we tell we have a "good" design? How to we go about creating a good design? 2 / 34 Basic

562 views • 34 slides

More recommend