construction of universal designated verifier signatures
play

Construction of Universal Designated-Verifier Signatures and - PowerPoint PPT Presentation

Dec 17, 2023 •5 likes •465 views

Motivation Research Question Results Conclusion Notes Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from Standard Signatures Siamak Shahandashti 1 Rei Safavi-Naini 2 1 SCSSE & CCISR, Uni

  1. Motivation Research Question Results Conclusion Notes Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from Standard Signatures Siamak Shahandashti 1 Rei Safavi-Naini 2 1 SCSSE & CCISR, Uni Wollongong, Australia www.uow.edu.au/ ∼ sfs166 2 Dept Comp Sci & iCIS, Uni Calgary, Canada www.cpsc.ucalgary.ca/ ∼ rei PKC 2008 UDVS & IBS from Signatures Universities of Wollongong and Calgary

  2. Motivation Research Question Results Conclusion Notes Outline Motivation Universal Designated-Verifier Signatures Identity-Based Signatures Research Question Research Question Formulation of Patterns Results Our UDVS Construction and Its Security Our IBS Construction and Its Security Conclusion Concluding Remarks Notes Final Notes UDVS & IBS from Signatures Universities of Wollongong and Calgary

  3. Motivation Research Question Results Conclusion Notes Universal Designated-Verifier Signatures What’s a Universal Designated-Verifier Signature? a.k.a. UDVS ◮ Basically: a signature scheme with an extra functionality ◮ Goal: to protect user privacy when using credentials ◮ Idea: transform signature s.t. it only convinces a particular verifier Credential Issuer Credential Holder Credential Verifier pk s , sk v , m, ˆ sk s , m pk s , pk v , m, σ σ σ ˆ σ σ ˆ σ d Sign Desig DVer UDVS & IBS from Signatures Universities of Wollongong and Calgary

  4. Motivation Research Question Results Conclusion Notes Universal Designated-Verifier Signatures What’s a Universal Designated-Verifier Signature? a.k.a. UDVS ◮ Basically: a signature scheme with an extra functionality ◮ Goal: to protect user privacy when using credentials ◮ Idea: transform signature s.t. it only convinces a particular verifier Credential Issuer Credential Holder Credential Verifier pk s , sk v , m, ˆ sk s , m pk s , pk v , m, σ σ σ ˆ σ σ ˆ σ d Sign Desig DVer UDVS & IBS from Signatures Universities of Wollongong and Calgary

  5. Motivation Research Question Results Conclusion Notes Universal Designated-Verifier Signatures What’s a Universal Designated-Verifier Signature? a.k.a. UDVS ◮ Basically: a signature scheme with an extra functionality ◮ Goal: to protect user privacy when using credentials ◮ Idea: transform signature s.t. it only convinces a particular verifier Credential Issuer Credential Holder Credential Verifier pk s , sk v , m, ˆ sk s , m pk s , pk v , m, σ σ σ ˆ σ σ ˆ σ d Sign Desig DVer UDVS & IBS from Signatures Universities of Wollongong and Calgary

  6. Motivation Research Question Results Conclusion Notes Universal Designated-Verifier Signatures How can we construct a UDVS? ◮ ˆ σ is a designated-verifier non-interactive proof of holding a valid signature on m . ◮ Jakobsson et al’s intuition to verifier designation: “Instead of proving X, Alice will prove the statement: Either X is true, or I am Bob.” ◮ In the Random Oracle Model, non-interactive proofs can be constructed using Fiat-Shamir heuristic from Σ protocols. ◮ So the only things we need are: ◮ A Σ protocol for proof of knowledge of a signature on a message, and ◮ A Σ protocol for proof of knowledge of the verifier’s secret key. UDVS & IBS from Signatures Universities of Wollongong and Calgary

  7. Motivation Research Question Results Conclusion Notes Universal Designated-Verifier Signatures How can we construct a UDVS? ◮ ˆ σ is a designated-verifier non-interactive proof of holding a valid signature on m . ◮ Jakobsson et al’s intuition to verifier designation: “Instead of proving X, Alice will prove the statement: Either X is true, or I am Bob.” ◮ In the Random Oracle Model, non-interactive proofs can be constructed using Fiat-Shamir heuristic from Σ protocols. ◮ So the only things we need are: ◮ A Σ protocol for proof of knowledge of a signature on a message, and ◮ A Σ protocol for proof of knowledge of the verifier’s secret key. UDVS & IBS from Signatures Universities of Wollongong and Calgary

  8. Motivation Research Question Results Conclusion Notes Universal Designated-Verifier Signatures How can we construct a UDVS? ◮ ˆ σ is a designated-verifier non-interactive proof of holding a valid signature on m . ◮ Jakobsson et al’s intuition to verifier designation: “Instead of proving X, Alice will prove the statement: Either X is true, or I am Bob.” ◮ In the Random Oracle Model, non-interactive proofs can be constructed using Fiat-Shamir heuristic from Σ protocols. ◮ So the only things we need are: ◮ A Σ protocol for proof of knowledge of a signature on a message, and ◮ A Σ protocol for proof of knowledge of the verifier’s secret key. UDVS & IBS from Signatures Universities of Wollongong and Calgary

  9. Motivation Research Question Results Conclusion Notes Universal Designated-Verifier Signatures How can we construct a UDVS? ◮ ˆ σ is a designated-verifier non-interactive proof of holding a valid signature on m . ◮ Jakobsson et al’s intuition to verifier designation: “Instead of proving X, Alice will prove the statement: Either X is true, or I am Bob.” ◮ In the Random Oracle Model, non-interactive proofs can be constructed using Fiat-Shamir heuristic from Σ protocols. ◮ So the only things we need are: ◮ A Σ protocol for proof of knowledge of a signature on a message, and ◮ A Σ protocol for proof of knowledge of the verifier’s secret key. UDVS & IBS from Signatures Universities of Wollongong and Calgary

  10. Motivation Research Question Results Conclusion Notes Identity-Based Signatures How can we construct an Identity-Based Signature? a.k.a. IBS Key Issuer User Verifier msk, id usk, m mpk, id, m, σ usk σ usk σ d UKeyGen Desig DVer ◮ σ is a signature on m that shows the signer has knowledge of usk ◮ In the Random Oracle Model, signatures can be constructed using Fiat-Shamir heuristic from Σ protocols. ◮ So again the only thing we need is: ◮ A Σ protocol for proof of knowledge of a signature on a message. UDVS & IBS from Signatures Universities of Wollongong and Calgary

  11. Motivation Research Question Results Conclusion Notes Identity-Based Signatures How can we construct an Identity-Based Signature? a.k.a. IBS Key Issuer User Verifier msk, id usk, m mpk, id, m, σ usk σ usk σ d UKeyGen Desig DVer ◮ σ is a signature on m that shows the signer has knowledge of usk ◮ In the Random Oracle Model, signatures can be constructed using Fiat-Shamir heuristic from Σ protocols. ◮ So again the only thing we need is: ◮ A Σ protocol for proof of knowledge of a signature on a message. UDVS & IBS from Signatures Universities of Wollongong and Calgary

  12. Motivation Research Question Results Conclusion Notes Identity-Based Signatures How can we construct an Identity-Based Signature? a.k.a. IBS Key Issuer User Verifier msk, id usk, m mpk, id, m, σ usk σ usk σ d UKeyGen Desig DVer ◮ σ is a signature on m that shows the signer has knowledge of usk ◮ In the Random Oracle Model, signatures can be constructed using Fiat-Shamir heuristic from Σ protocols. ◮ So again the only thing we need is: ◮ A Σ protocol for proof of knowledge of a signature on a message. UDVS & IBS from Signatures Universities of Wollongong and Calgary

  13. Motivation Research Question Results Conclusion Notes Identity-Based Signatures How can we construct an Identity-Based Signature? a.k.a. IBS Key Issuer User Verifier msk, id usk, m mpk, id, m, σ usk σ usk σ d UKeyGen Desig DVer ◮ σ is a signature on m that shows the signer has knowledge of usk ◮ In the Random Oracle Model, signatures can be constructed using Fiat-Shamir heuristic from Σ protocols. ◮ So again the only thing we need is: ◮ A Σ protocol for proof of knowledge of a signature on a message. UDVS & IBS from Signatures Universities of Wollongong and Calgary

  14. Motivation Research Question Results Conclusion Notes Research Question So, What’s the problem Then? Although any NP relation has a Σ protocol, these generic protocols are normally not efficient! Is there any more efficient way to do it? UDVS & IBS from Signatures Universities of Wollongong and Calgary

  15. Motivation Research Question Results Conclusion Notes Formulation of Patterns Yes, There Is a Way! We don’t actually need strict honest-verifier zero-knowledge! Example Schnorr signature: c = H ( g z · h − c , m ) pk = ( p , q , g , h = g x ) , σ = ( c , z ) : To prove knowledge of a signature aux = g z · h − c ◮ give out g z = aux · h H ( aux , m ) ◮ prove knowledge of z : UDVS & IBS from Signatures Universities of Wollongong and Calgary

  16. Motivation Research Question Results Conclusion Notes Formulation of Patterns Yes, There Is a Way! We don’t actually need strict honest-verifier zero-knowledge! Example Schnorr signature: c = H ( g z · h − c , m ) pk = ( p , q , g , h = g x ) , σ = ( c , z ) : To prove knowledge of a signature aux = g z · h − c ◮ give out g z = aux · h H ( aux , m ) ◮ prove knowledge of z : UDVS & IBS from Signatures Universities of Wollongong and Calgary

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Designated Verifier Signatures: Attacks, New Definitions and Constructions Helger Lipmaa

Designated Verifier Signatures: Attacks, New Definitions and Constructions Helger Lipmaa

Estonian Theory Days, Koke, Estonia Designated Verifier Signatures: Attacks, New Definitions and Constructions Helger Lipmaa Helsinki University of Technology, Finland Guilin Wang and Feng Bao Institute of Infocomm Research, Singapore Koke,

732 views • 37 slides
Designated Verifier Signature Schemes - An Overview Liina Kamm October 10, 2005 Structure

Designated Verifier Signature Schemes - An Overview Liina Kamm October 10, 2005 Structure

Designated Verifier Signature Schemes - An Overview Liina Kamm October 10, 2005 Structure The Jakobsson-Sako-Impagliazzo Scheme Security notions for DVS schemes DVS Scheme with tight reduction to DDH in NPRO Universal Designated

620 views • 42 slides
Efficient Designated-Verifier Non- Interactive Zero-Knowledge Proofs of Knowledge Pyrros Chaidos,

Efficient Designated-Verifier Non- Interactive Zero-Knowledge Proofs of Knowledge Pyrros Chaidos,

Efficient Designated-Verifier Non- Interactive Zero-Knowledge Proofs of Knowledge Pyrros Chaidos, Geoffroy Couteau 1 /11 Zero-Knowledge Proof prover verifier Complete: if P knows a solution, V accepts Sound: if there is no solution, P

1.25k views • 27 slides
Universal algebra Basics of universal algebra: signatures and algebras homomorphisms,

Universal algebra Basics of universal algebra: signatures and algebras homomorphisms,

Universal algebra Basics of universal algebra: signatures and algebras homomorphisms, subalgebras, congruences equations and varieties equational calculus equational specifications and initial algebras variations: partial

866 views • 32 slides
Hashes & MAC. Digital Signatures Lecture 16 One-time MAC With 2-Universal Hash Functions

Hashes & MAC. Digital Signatures Lecture 16 One-time MAC With 2-Universal Hash Functions

Hashes & MAC. Digital Signatures Lecture 16 One-time MAC With 2-Universal Hash Functions Trivial (very inefficient) solution (to sign a single n bit message): r 10 r 20 r 30 Key: 2n random strings (each k-bit long) (r i0 ,r i1 ) i=1..n r 11

531 views • 10 slides
THE UNIVERSAL TRANSACTIONAL MEMORY CONSTRUCTION Jons-Tobias Wamhoff and Christof Fetzer Dresden

THE UNIVERSAL TRANSACTIONAL MEMORY CONSTRUCTION Jons-Tobias Wamhoff and Christof Fetzer Dresden

THE UNIVERSAL TRANSACTIONAL MEMORY CONSTRUCTION Jons-Tobias Wamhoff and Christof Fetzer Dresden University of Technology, Germany 1 MOTIVATION Universal construction Shows how to convert sequential algorithm into concurrent wait-free

331 views • 20 slides
Explicit construction of universal structures Jan Hubi cka Charles University Prague Joint

Explicit construction of universal structures Jan Hubi cka Charles University Prague Joint

Explicit construction of universal structures Jan Hubi cka Charles University Prague Joint work with Jarik Neet ril Workshop on Homogeneous Structures 2011 Jan Hubi cka Explicit construction of universal structures Universal

990 views • 59 slides
Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties Signatures Signatures with various functionality/properties Constructions come in different flavors (well sample each flavor): Signatures

1.55k views • 131 slides
Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And Putting It All Together Lecture 12 Digital Signatures Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s,

1.72k views • 142 slides
INTEGRA Universal water tanks ver.04.2013 1 Construction, operation principle 2 2 INTEGRA

INTEGRA Universal water tanks ver.04.2013 1 Construction, operation principle 2 2 INTEGRA

INTEGRA Universal water tanks ver.04.2013 1 Construction, operation principle 2 2 INTEGRA universal water tanks General features INTEGRA series Universal water heaters used for DHW heating and CH support Integrated DHW tank

419 views • 26 slides
From Barrier-free Accessibility to Universal Design Ms GOH Siam Imm, Building and Construction

From Barrier-free Accessibility to Universal Design Ms GOH Siam Imm, Building and Construction

From Barrier-free Accessibility to Universal Design Ms GOH Siam Imm, Building and Construction Authority, Singapore Edited transcript of presentation to 2 nd Australian Universal Design Conference 2016 Today I'm going to share the Singapore

75 views • 4 slides
Adding Aerosol Cans to the Universal Waste Regulations Where does Universal Waste fit? HAZARDOUS

Adding Aerosol Cans to the Universal Waste Regulations Where does Universal Waste fit? HAZARDOUS

Adding Aerosol Cans to the Universal Waste Regulations Where does Universal Waste fit? HAZARDOUS WASTES SOLID WASTES UNIVERSAL WASTES - Universal waste categories must be hazardous waste before they can be designated as universal wastes -

810 views • 40 slides
AVERIST: An Algorithmic VERifier for STability AVERIST ARCHITECTURE AVERIST architecture Linear

AVERIST: An Algorithmic VERifier for STability AVERIST ARCHITECTURE AVERIST architecture Linear

AVERIST: An Algorithmic VERifier for STability AVERIST ARCHITECTURE AVERIST architecture Linear PSS expressions AVERIST State-space partition Weighted ABSTRACTION MODEL-CHECKING Graph analysis graph Graph construction Counterexample

448 views • 21 slides
A decomposition of the tripos-to-topos construction Jonas Frey June 2010 Part 1 A universal

A decomposition of the tripos-to-topos construction Jonas Frey June 2010 Part 1 A universal

A decomposition of the tripos-to-topos construction Jonas Frey June 2010 Part 1 A universal characterization of the tripos-to-topos construction A universal characterization of the tripos-to-topos construction What should a universal

748 views • 46 slides
Developmental Services In Vermont Designated Agency System The Designated System operates on

Developmental Services In Vermont Designated Agency System The Designated System operates on

1/10/2019 Developmental Services In Vermont Designated Agency System The Designated System operates on a zero reject premise Ten Designated Agencies each responsible for a geographic region Eligibility Determination Assessment of

314 views • 5 slides
On a general construction of countable universal homogeneous algebraic systems Dragan Ma

On a general construction of countable universal homogeneous algebraic systems Dragan Ma

On a general construction of countable universal homogeneous algebraic systems Dragan Ma sulovi c Department of Mathematics and Informatics University of Novi Sad, Serbia (joint work with Wiesav Kubi s) AAA 88, Warsaw, 1922 June

384 views • 14 slides
3 3.1 Grammars and Sentence Structure 3.2 What Makes a Good Grammar 3.3 A Top-Down Parser 3.4 A

3 3.1 Grammars and Sentence Structure 3.2 What Makes a Good Grammar 3.3 A Top-Down Parser 3.4 A

Grammars and Parsing C H A P T E R 3 3.1 Grammars and Sentence Structure 3.2 What Makes a Good Grammar 3.3 A Top-Down Parser 3.4 A Bottom-Up Chart Parser 3.5 Transition Network Grammars 3.6 Top-Down Chart Parsing 3.7 Finite State

643 views • 43 slides
LArG4 refactoring status and plan Hans Wenzel 6 th August 2018 Requirements Separate

LArG4 refactoring status and plan Hans Wenzel 6 th August 2018 Requirements Separate

LArG4 refactoring status and plan Hans Wenzel 6 th August 2018 Requirements Separate Simulation from digitization and detector response Simulation: completely depend on tools provided by Geant4 and use the provided interfaces (or work

520 views • 25 slides
Can Increasing Input Dimensionality Improve Deep Reinforcement Learning? Kei Ota 1 , Tomoaki Oiki

Can Increasing Input Dimensionality Improve Deep Reinforcement Learning? Kei Ota 1 , Tomoaki Oiki

Can Increasing Input Dimensionality Improve Deep Reinforcement Learning? Kei Ota 1 , Tomoaki Oiki 1 , Devesh K. Jha 2 , Toshisada Mariyama 1 , and Daniel Nikovski 2 1. Mitsubishi Electrics, Kanagawa, JP 2. Mitsubishi Electric Research Labs, MA,

305 views • 16 slides
Presented by Amel Benna Agenda Background 1. Data Integration issues 2. Our Approach for Data

Presented by Amel Benna Agenda Background 1. Data Integration issues 2. Our Approach for Data

The International Workshop on Advanced Information Systems for Enterprises Constantine April,19-20, 2008 Nadir Salhi , & Amel Benna, CERIST, University A/Mira Bejaia, Algeria Zaia Alimazighi LSI, USTHB Algers, Algeria Bilal Amrouche &

604 views • 22 slides
Auxiliaries and the -calculus Robert Levine Ohio State University levine.1@osu.edu Robert

Auxiliaries and the -calculus Robert Levine Ohio State University levine.1@osu.edu Robert

Auxiliaries and the -calculus Robert Levine Ohio State University levine.1@osu.edu Robert Levine 2019 5201 Auxiliaries and the -calculus 1 / 25 Where we left off. . . We can draw a couple of general conclusions at this point. The

791 views • 25 slides
2.83 / 2.813 Figure from Hendrickson, Lave and Matthews, 2006 T. Gutowski 1 Why is Mfg Energy

2.83 / 2.813 Figure from Hendrickson, Lave and Matthews, 2006 T. Gutowski 1 Why is Mfg Energy

Manufacturing 2.83 / 2.813 Figure from Hendrickson, Lave and Matthews, 2006 T. Gutowski 1 Why is Mfg Energy Important? 1/3 direct energy Much of the indirect - use phase is in the service of manufacturing Manufacturing

1.33k views • 98 slides
Algorithms R OBERT S EDGEWICK | K EVIN W AYNE 5.1 S TRING S ORTS strings in Java

Algorithms R OBERT S EDGEWICK | K EVIN W AYNE 5.1 S TRING S ORTS strings in Java

Algorithms R OBERT S EDGEWICK | K EVIN W AYNE 5.1 S TRING S ORTS strings in Java key-indexed counting LSD radix sort Algorithms MSD radix sort F O U R T H E D I T I O N 3-way radix quicksort R OBERT S EDGEWICK | K EVIN W AYNE

998 views • 66 slides
Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud

Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud

Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud Toccata, Inria Saclay JCP 2016 1. A short look back 2 / 100 Introduction Software is hard. D ONALD K NUTH ... 1996: Ariane 5 explosion an

1.13k views • 100 slides

More recommend