attribute based signatures maji et al 2008 users have
play

Attribute-Based Signatures [Maji et al. 2008] . Users have - PowerPoint PPT Presentation

Oct 23, 2022 •361 likes •619 views

D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES Essam Ghadafi 1 Ali El Kaafarani 2 Dalia Khader 3 1 University of Bristol , 2 University of Bath, 3 University of Luxembourg ghadafi@cs.bris.ac.uk CT-RSA 2014 D ECENTRALIZED T RACEABLE A

  1. D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES Essam Ghadafi 1 Ali El Kaafarani 2 Dalia Khader 3 1 University of Bristol , 2 University of Bath, 3 University of Luxembourg ghadafi@cs.bris.ac.uk CT-RSA 2014 D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES

  2. O UTLINE B ACKGROUND 1 A S ECURITY M ODEL 2 G ENERIC C ONSTRUCTIONS 3 I NSTANTIATIONS 4 S UMMARY 5 D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES

  3. A TTRIBUTE -B ASED S IGNATURES Attribute-Based Signatures [Maji et al. 2008] . Users have attributes (e.g. “Departmental Manager”, “Chairman”, “Finance Department”, etc.). A user can sign a message w.r.t. a policy Ψ only if she owns attributes A s.t. Ψ( A ) = 1. The verifier learns nothing other than that some signer with attributes satisfying the policy has produced the signature. Sig - Finance Dept. Chairman - Manager OR Manager AND Finance OR Supervisor AND Materials D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 1 / 21

  4. A PPLICATIONS OF A TTRIBUTE -B ASED S IGNATURES Example applications: Attribute-Based Messaging: Recipients are assured the sender satisfies a certain policy. Leaking Secrets: Ring Signatures [RST01] allow a signer to sign a message on behalf of an ad-hoc group. ABS allow more expressive predicates for leaking a secret ⇒ The leaker satisfies some policy vs. the leaker is in the ring. Many other applications: . . . D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 2 / 21

  5. S ECURITY OF A TTRIBUTE -B ASED S IGNATURES Security of Attribute-Based Signatures [Maji et al. 2008] ◮ (Perfect) Privacy (Anonymity): The signature hides: 1 The identity of the signer. 2 The attributes used in the signing (i.e. how Ψ was satisfied). ◮ Unforgeability: A signer cannot forge signatures w.r.t. signing policies her attributes do not satisfy even if she colludes with other signers. D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 3 / 21

  6. R ELATED WORK ON A TTRIBUTE -B ASED S IGNATURES ◮ Maji et al. 2008 & 2011. ◮ Shahandashti and Safavi-Naini 2009. ◮ Li et al. 2010. ◮ Okamoto and Takashima 2011 & 2012. ◮ Gagné et al. 2012. ◮ Herranz et al. 2012. D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 4 / 21

  7. T RACEABLE A TTRIBUTE -B ASED S IGNATURES Traceable Attribute-Based Signatures (TABS) [Escala et al. 2011] : Extend ABS by adding an anonymity revocation mechanism. A tracing authority can reveal the identity of the signer. Crucial in enforcing accountability and deterring abuse. D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 5 / 21

  8. O UR C ONTRIBUTION 1 A security model for Decentralized Traceable Attribute-Based Signatures (DTABS). 2 Two generic constructions for DTABS. 3 Example instantiations in the standard model. D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 6 / 21

  9. D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES Tracing Authority Sig Professor at Bristol OR IACR Member D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 7 / 21

  10. D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES Features of Our Model: Multiple attribute authorities, e.g. Company A, University B, Organization C, Government D, etc. ◮ Need not trust one another or even be aware of each other. Signers and attribute authorities can join the system at any time. A tracing authority can reveal the identity of the signer. Tracing correctness is publicly verifiable. D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 8 / 21

  11. S ECURITY OF DTABS ◮ Correctness: If all parties are honest: Signatures verify correctly. The tracing authority can identify the signer. The Judge algorithm accepts the tracing decision. D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 9 / 21

  12. S ECURITY OF DTABS ◮ Anonymity: Signatures do not reveal the identity of the signer or the attributes used. param Add Signer Add Signer Add Auth Add Auth Add Corrupt Auth (sid 0 ,A 0 ),(sid 1 ,A 1 ),m,ψ Add Corrupt Auth CH Reveal Signer Key CH b←{0,1} Reveal Signer Key b←{0,1} σ Reveal Auth Key Reveal Auth Key Trace Signature Trace Signature b * Adversary wins if: b = b ∗ . The CH oracle returns ⊥ if Ψ( A 0 ) � = 1 or Ψ( A 1 ) � = 1. The Trace oracle returns ⊥ if queried on σ . D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 10 / 21

  13. S ECURITY OF DTABS ◮ Full Unforgeability: Even if signers collude, they cannot produce a signature on behalf of a signer whose attributes do not satisfy the policy. Covers non-frameability. Param, tk Add Signer Add Signer Add Auth Add Auth Add Corrupt Auth Add Corrupt Auth Reveal Signer Key Reveal Signer Key Reveal Auth Key Reveal Auth Key Sign Sign m * , σ * , ψ * , sid * , π * Adversary wins if: σ ∗ is valid and π ∗ accepted by Judge . No corrupt subset of attributes A ∗ sid ∗ s.t. Ψ ∗ ( A ∗ sid ∗ ) =1. ( sid ∗ , · , m ∗ , σ ∗ , Ψ ∗ ) was not obtained from the signing oracle. D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 11 / 21

  14. S ECURITY OF DTABS ◮ Traceability: Signatures are traceable, i.e. the tracing authority can always identify the signer. Param, tk Add Signer Add Signer Add Auth Add Auth Reveal Signer Key Reveal Signer Key Sign Sign m * , σ * , ψ * Adversary wins if all the following holds: σ ∗ is a valid signature on m ∗ w.r.t. Ψ ∗ and either : σ ∗ opens to a signer who was never added. The Judge algorithm rejects the tracing proof. D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 12 / 21

  15. G ENERIC C ONSTRUCTIONS Construction I ◮ Tools used: Two NIZK systems NIZK 1 and NIZK 2 . ◮ NIZK 1 needs to be simulation-sound and a proof of knowledge . A tagged signature scheme T S : a digital signature scheme that signs a tag and a message. A digital signature scheme DS . An IND-CCA2 public key encryption scheme PKE . D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 13 / 21

  16. G ENERIC C ONSTRUCTIONS (C ONSTRUCTION I) ◮ Setup: Generate ( epk , esk ) for PKE , ( vk , sk ) for DS , crs 1 for NIZK 1 , and crs 2 for NIZK 2 . Set tk := esk and param := ( crs 1 , crs 2 , vk , epk , H ) . ◮ Attribute Authority Join: Generate ( aavk aid , assk aid ) for T S . ◮ Attribute Key Generation: To generate a key sk sid , a for attribute a for signer sid , compute sk sid , a ← T S . Sign ( assk aid ( a ) , sid , a ) . D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 14 / 21

  17. G ENERIC C ONSTRUCTIONS (C ONSTRUCTION I) ◮ Signing: To sign m w.r.t. Ψ : 1 C ← PKE . Enc ( epk , sid ) . 2 Produce a proof π of A and sid that: 1 C is an encryption of sid . 2 Either owns attributes A s.t. Ψ( A ) = 1 ⇒ Has a valid tagged signature on ( sid , a ) for each a ∈ A OR Has a special digital signature on H (Ψ , m , C ) , i.e. a pseudo-attribute. The signature is σ := ( C , π ) . ◮ Tracing: The tracing authority uses esk to decrypt C to obtain sid . Produces a proof π Trace of esk that decryption was done correctly. D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 15 / 21

  18. G ENERIC C ONSTRUCTIONS Construction II ◮ Changes from Construction I: NIZK 1 need not be simulation-sound. Replace PKE with a selective-tag weakly IND-CCA tag-based encryption scheme T PKE . Need a strongly unforgeable one-time signature OT S . Another collision-resistant hash function ˆ H to hash into the tag space of T PKE . D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 16 / 21

  19. G ENERIC C ONSTRUCTIONS (C ONSTRUCTION II) ◮ Signing: To sign m w.r.t. Ψ : 1 Choose a fresh key pair ( otsvk , otssk ) for OT S . 2 C tbe ← T PKE . Enc ( epk , ˆ H ( otsvk ) , sid ) . 3 Produce a proof π of A and sid that: 1 C tbe is an encryption of sid under tag ˆ H ( otsvk ) . 2 Either owns attributes A s.t. Ψ( A ) = 1 ⇒ Has a valid tagged signature on ( sid , a ) for each a ∈ A OR Has a special digital signature on H (Ψ , m , C tbe , ˆ H ( otsvk )) . 4 Compute σ ots ← OT S . Sign ( otssk , ( π, C tbe , otsvk )) . The signature is σ := ( σ ots , π, C tbe , otsvk ) . ◮ Tracing: The tracing authority uses esk to decrypt C tbe to obtain sid . Produces a proof π Trace of esk that decryption was done correctly. D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 17 / 21

  20. G ENERIC C ONSTRUCTIONS (C ONSTRUCTION II) Security of the Construction: ◮ Anonymity: NIZK of NIZK 1 and NIZK 2 . ST-IND-CCA of T PKE . Unforgeability of OT S . Collision-resistance of H and ˆ H . ◮ Full Unforgeability: Soundness of NIZK 1 and NIZK 2 . Unforgeability of T S , DS and OT S . Collision-resistance of H and ˆ H . ◮ Traceability: Soundness of NIZK 1 . Unforgeability of T S and DS . D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 18 / 21

  21. G ENERIC C ONSTRUCTIONS How to prove that one owns A s.t. Ψ( A ) = 1 ? ◮ Use a span program: Represent Ψ by a | Ψ | × β span matrix S . z S = [ 1 , 0 , . . . , 0 ] Prove you know a vector � z s.t. � ⇒ { a i | z i � = 0 } satisfies Ψ . D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 19 / 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Why attribute-based signatures? The kind of authentication required in an attribute-based system

Why attribute-based signatures? The kind of authentication required in an attribute-based system

Attribute-Based Signatures Hemanta K. Maji Manoj Prabhakaran Mike Rosulek November 22, 2010 Abstract We introduce Attribute-Based Signatures (ABS) , a versatile primitive that allows a party to sign a message with fine-grained

864 views • 35 slides
Attribute-Based Signatures [Maji et al. 2008]: Users have attributes (Manager, Finance

Attribute-Based Signatures [Maji et al. 2008]: Users have attributes (Manager, Finance

S TRONGER S ECURITY N OTIONS FOR D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES AND M ORE E FFICIENT C ONSTRUCTIONS Essam Ghadafi University College London e.ghadafi@ucl.ac.uk CT-RSA 2015 S TRONGER S ECURITY N OTIONS FOR D ECENTRALIZED

535 views • 34 slides
Attribute-Based Signatures for Unbounded Languages from Standard Assumptions Yusuke Sakai (AIST,

Attribute-Based Signatures for Unbounded Languages from Standard Assumptions Yusuke Sakai (AIST,

Attribute-Based Signatures for Unbounded Languages from Standard Assumptions Yusuke Sakai (AIST, Japan) Shuichi Katsumata (AIST, Japan / U. Tokyo, Japan) Nuttapong Attrapadung (AIST, Japan) Goichiro Hanaoka (AIST, Japan) 1 Our Contribution

938 views • 38 slides
Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s users require only secretkeys users require n 2 secretkeys Privately verifiable and non-transferable Same signature

764 views • 53 slides
Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Motivation Research Question Results Conclusion Notes Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from Standard Signatures Siamak Shahandashti 1 Rei Safavi-Naini 2 1 SCSSE & CCISR, Uni

465 views • 46 slides
Texture attribute synthesis and transfer using feed-forward CNNs Thomas Irmer, Tobias Glasmachers,

Texture attribute synthesis and transfer using feed-forward CNNs Thomas Irmer, Tobias Glasmachers,

Texture attribute synthesis and transfer using feed-forward CNNs Thomas Irmer, Tobias Glasmachers, Subhransu Maji Paper-ID 175 Texture attribute synthesis and transfer using feed-forward CNNs Thomas Irmer, Tobias Glasmachers, Subhransu Maji

505 views • 15 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-02-25 1 Outline Recap: security experiments Message space extension One-time signatures One-time signatures from one-way functions Digital

1.07k views • 48 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-03-03 1 Outline Why assumptions? Efficient one-time signatures Digital Signatures 2020-03-03 2 Recap: Lamport EUF-1-CMA secure

1.14k views • 37 slides
PKI based Access Control with Attribute on n users Application Profile (AP) cwr cwr cwr cwr

PKI based Access Control with Attribute on n users Application Profile (AP) cwr cwr cwr cwr

Visibl Card issuing Unive Foreign users Card e rsity holder Metho intern Data element Stude Staff Guest Unive Unive Other ds al nts admin admin rsity rsity s admin istrati istrati users consol depen istrati on on

407 views • 21 slides
Reasoning about Fine-grained Attribute Phrases using Reference Games Jong-Chyi Su* Chenyun Wu*

Reasoning about Fine-grained Attribute Phrases using Reference Games Jong-Chyi Su* Chenyun Wu*

Reasoning about Fine-grained Attribute Phrases using Reference Games Jong-Chyi Su* Chenyun Wu* Huaizu Jiang Subhransu Maji University of Massachusetts, Amherst ICCV 2017 Expert-designed Attributes Is military plane? No Is propellor

531 views • 19 slides
Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis

Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis

Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis Hofheinz ETH Zrich Quantum computers Grovers algorithm: speed up searches (N O(N)) Bigger problem for cryptography: Shors algorithm

468 views • 15 slides
Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties Signatures Signatures with various functionality/properties Constructions come in different flavors (well sample each flavor): Signatures

1.55k views • 131 slides
Hash-based signatures Tanja Lange (with some slides by Daniel J. Bernstein) Eindhoven University

Hash-based signatures Tanja Lange (with some slides by Daniel J. Bernstein) Eindhoven University

Hash-based signatures Tanja Lange (with some slides by Daniel J. Bernstein) Eindhoven University of Technology 20 July 2020 Benefits of hash-based signatures Old idea: 1979 Lamport one-time signatures. 1979 Merkle extends to more

659 views • 40 slides
Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And Putting It All Together Lecture 12 Digital Signatures Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s,

1.72k views • 142 slides
Incorporating Off-Line Attribute Delegation into Hierarchical Group and Attribute-Based Access

Incorporating Off-Line Attribute Delegation into Hierarchical Group and Attribute-Based Access

Incorporating Off-Line Attribute Delegation into Hierarchical Group and Attribute-Based Access Control Daniel Servos Michael Bauer Western University Western University London, Ontario London, Ontario dservos5@uwo.ca bauer@uwo.ca November

511 views • 34 slides
New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques Allison Lewko Brent Waters Roots of Attribute-Based Encryption Moving beyond Public Key Encryption: CEO Manager 1 Manager 2 Bob

341 views • 19 slides
Query Processing Lecture # 10 Database Systems Andy Pavlo AP AP Computer Science

Query Processing Lecture # 10 Database Systems Andy Pavlo AP AP Computer Science

Query Processing Lecture # 10 Database Systems Andy Pavlo AP AP Computer Science 15-445/15-645 Carnegie Mellon Univ. Fall 2018 2 ADM IN ISTRIVIA Project #2 Checkpoint #1 is due Monday October 9 th @ 11:59pm Mid-term Exam is on

976 views • 52 slides
The SDP Content Attribute draft-ietf-mmusic-sdp-media-content-02.txt Jani.Hautakorpi@ericsson.com

The SDP Content Attribute draft-ietf-mmusic-sdp-media-content-02.txt Jani.Hautakorpi@ericsson.com

The SDP Content Attribute draft-ietf-mmusic-sdp-media-content-02.txt Jani.Hautakorpi@ericsson.com The Idea Screen Speakers image Presentation slides Sign Similar language media streams Media Client Server Application Status of

616 views • 3 slides
Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography 1 Identity-Based

Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography 1 Identity-Based

Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography 1 Identity-Based Encryption 2 Identity-Based Encryption In PKE, KeyGen produces a random (PK,SK) pair 2 Identity-Based Encryption In PKE, KeyGen produces a random

1.47k views • 114 slides
MINING 4: Vector Data: Decision Tree Instructor: Yizhou Sun yzsun@cs.ucla.edu October 10, 2017

MINING 4: Vector Data: Decision Tree Instructor: Yizhou Sun yzsun@cs.ucla.edu October 10, 2017

CS145: INTRODUCTION TO DATA MINING 4: Vector Data: Decision Tree Instructor: Yizhou Sun yzsun@cs.ucla.edu October 10, 2017 Methods to Learn Vector Data Set Data Sequence Data Text Data Logistic Regression; Nave Bayes for Text

579 views • 37 slides
The Syntax of Classes and Objects in Python Defining a Class - "Inventing a Composite Data

The Syntax of Classes and Objects in Python Defining a Class - "Inventing a Composite Data

The Syntax of Classes and Objects in Python Defining a Class - "Inventing a Composite Data Type" class [ClassName]: [attribute 0 _name]: [attribute 0 _type] [attribute 1 _name]: [attribute1_type] = [attribute 1 _default_value] [

446 views • 8 slides
ECS 235B, Lecture 23 March 6, 2019 March 6, 2019 ECS 235B, Foundations of Computer and

ECS 235B, Lecture 23 March 6, 2019 March 6, 2019 ECS 235B, Foundations of Computer and

ECS 235B, Lecture 23 March 6, 2019 March 6, 2019 ECS 235B, Foundations of Computer and Information Security 1 Loading Like sandboxing, but framework embedded in libraries and not a separate process When called, a constrained library

1.45k views • 56 slides
Building a model So far, we have talked about prediction , where the purpose of learning is to be

Building a model So far, we have talked about prediction , where the purpose of learning is to be

In [18]: # HIDDEN import matplotlib matplotlib.use('Agg') from datascience import * % matplotlib inline import matplotlib.pyplot as plots from mpl_toolkits.mplot3d import Axes3D import numpy as np import math import scipy.stats as stats

244 views • 12 slides
Using Property Graphs for Rich Metadata Management in HPC Systems Dong Dai , Robert B. Ross,

Using Property Graphs for Rich Metadata Management in HPC Systems Dong Dai , Robert B. Ross,

Using Property Graphs for Rich Metadata Management in HPC Systems Dong Dai , Robert B. Ross, Philip Carns, Dries Kimpe, and Yong Chen 1 Rich Metadata in HPC The data used to describe other data Simple Metadata - A. Leung, et. al.

780 views • 32 slides

More recommend