galindo garcia identity based signature revisited
play

Galindo-Garcia Identity-Based Signature Revisited. Sanjit - PowerPoint PPT Presentation

Aug 16, 2023 •14 likes •584 views

Galindo-Garcia Identity-Based Signature Revisited. Galindo-Garcia Identity-Based Signature Revisited. Sanjit Chatterjee, Chethan Kamath and Vikas Kumar Indian Institute of Science, Bangalore November 2, 2013 Galindo-Garcia Identity-Based

  1. Galindo-Garcia Identity-Based Signature Revisited. Galindo-Garcia Identity-Based Signature Revisited. Sanjit Chatterjee, Chethan Kamath and Vikas Kumar Indian Institute of Science, Bangalore November 2, 2013

  2. Galindo-Garcia Identity-Based Signature Revisited. Table of contents Formal Definitions Public-Key Signature and Identity-Based Signature Security Models for PKS and IBS Galindo-Garcia IBS Salient Features Schnorr Signature and the Oracle Replay Attack Construction and Original Security Argument New Security Argument Conclusion and Future Work

  3. Galindo-Garcia Identity-Based Signature Revisited. Formal Definitions FORMAL DEFINITIONS

  4. Galindo-Garcia Identity-Based Signature Revisited. Formal Definitions Public-Key Signature and Identity-Based Signature Definition–Public-Key Signature An PKS scheme consists of three PPT algorithms {K , S , V} ◮ Key Generation, K ◮ Used by the user to generate the public-private key pair ( pk , sk ) ◮ pk is published and the sk kept secret ◮ Run on a security parameter κ $ ( pk , sk ) ← − K ( κ ) ◮ Signing, S ◮ Used by the user to generate signature on some message m ◮ The secret key sk used for signing $ σ ← − S ( sk , m ) ◮ Verification, V ◮ Outputs 1 if σ is a valid signature on m ; else, outputs 0 b ← V ( σ, m , pk )

  5. Galindo-Garcia Identity-Based Signature Revisited. Formal Definitions Public-Key Signature and Identity-Based Signature Definition–Identity-Based Signature An IBS scheme consists of four PPT algorithms {G , E , S , V} ◮ Set-up, G ◮ Used by the PKG to generate the public parameters ( mpk ) and master secret ( msk ) ◮ mpk is published and the msk kept secret ◮ Run on a security parameter κ $ ( mpk , msk ) ← − G ( κ ) ◮ Key Extraction, E ◮ Used by the PKG to generate the user secret key ( usk ) ◮ usk is then distributed through a secure channel $ ← − E ( id , msk ) usk

  6. Galindo-Garcia Identity-Based Signature Revisited. Formal Definitions Public-Key Signature and Identity-Based Signature Definition–Identity-Based Signature... An IBS scheme consists of four PPT algorithms {G , E , S , V} ◮ Signing, S ◮ Used by a user with identity id to generate signature on some message m ◮ The user secret key usk used for signing $ ← − S ( usk , id , m , mpk ) σ ◮ Verification, V ◮ Outputs 1 if σ is a valid signature on m by the user with identity id ◮ Otherwise, outputs 0 b ← V ( σ, id , m , mpk )

  7. Galindo-Garcia Identity-Based Signature Revisited. Formal Definitions Security Models for PKS and IBS SECURITY MODELS FOR PKS AND IBS

  8. Galindo-Garcia Identity-Based Signature Revisited. Formal Definitions Security Models for PKS and IBS Security Model for PKS– EU-CMA pk C A EU-CMA O s (ˆ σ, ˆ m ) ◮ Existential unforgeability under chosen-message attack

  9. Galindo-Garcia Identity-Based Signature Revisited. Formal Definitions Security Models for PKS and IBS Security Model for PKS– EU-CMA pk C A EU-CMA O s (ˆ σ, ˆ m ) ◮ Existential unforgeability under chosen-message attack ◮ C generates key-pair ( pk , sk ) and passes pk to A .

  10. Galindo-Garcia Identity-Based Signature Revisited. Formal Definitions Security Models for PKS and IBS Security Model for PKS– EU-CMA pk C A EU-CMA O s (ˆ σ, ˆ m ) ◮ Existential unforgeability under chosen-message attack ◮ C generates key-pair ( pk , sk ) and passes pk to A . ◮ Signature Queries: Access to a signing oracle O s

  11. Galindo-Garcia Identity-Based Signature Revisited. Formal Definitions Security Models for PKS and IBS Security Model for PKS– EU-CMA pk C A EU-CMA O s (ˆ σ, ˆ m ) ◮ Existential unforgeability under chosen-message attack ◮ C generates key-pair ( pk , sk ) and passes pk to A . ◮ Signature Queries: Access to a signing oracle O s ◮ Forgery: A wins if ◮ ˆ σ is a valid signature on ˆ m . ◮ A has not made a signature query on ˆ m . ◮ Adversary’s advantage in the game: � � $ − A O s ( pk ) $ Pr 1 ← V (ˆ σ, ˆ m , pk ) | ( sk , pk ) ← − K ( κ ); (ˆ σ, ˆ m ) ←

  12. Galindo-Garcia Identity-Based Signature Revisited. Formal Definitions Security Models for PKS and IBS Security Model for PKS– EU-NMA pk C A EU-NMA O s (ˆ σ, ˆ m ) ◮ Existential unforgeability under no-message attack ◮ C generates key-pair ( pk , sk ) and passes pk to A . ◮ Signature Queries: Access to a signing oracle O s ◮ Forgery: A wins if ◮ ˆ σ is a valid signature on ˆ m . ◮ A has not made a signature query on ˆ m . ◮ Adversary’s advantage in the game: � � $ $ Pr 1 ← V (ˆ σ, ˆ m , pk ) | ( sk , pk ) ← − K ( κ ); (ˆ σ, ˆ m ) ← − A ( pk )

  13. Galindo-Garcia Identity-Based Signature Revisited. Formal Definitions Security Models for PKS and IBS Security Model for IBS: EU-ID-CMA mpk C A EU-ID-CMA O s O ε σ, ˆ (ˆ id , ˆ m ) ◮ Existential unforgeability with adaptive identity under no-message attack

  14. Galindo-Garcia Identity-Based Signature Revisited. Formal Definitions Security Models for PKS and IBS Security Model for IBS: EU-ID-CMA mpk C A EU-ID-CMA O s O ε σ, ˆ (ˆ id , ˆ m ) ◮ Existential unforgeability with adaptive identity under no-message attack ◮ C generates key-pair ( mpk , msk ) and passes mpk to A .

  15. Galindo-Garcia Identity-Based Signature Revisited. Formal Definitions Security Models for PKS and IBS Security Model for IBS: EU-ID-CMA mpk C A EU-ID-CMA O s O ε σ, ˆ (ˆ id , ˆ m ) ◮ Existential unforgeability with adaptive identity under no-message attack ◮ C generates key-pair ( mpk , msk ) and passes mpk to A . ◮ Extract Queries, Signature Queries

  16. Galindo-Garcia Identity-Based Signature Revisited. Formal Definitions Security Models for PKS and IBS Security Model for IBS: EU-ID-CMA mpk C A EU-ID-CMA O s O ε σ, ˆ (ˆ id , ˆ m ) ◮ Existential unforgeability with adaptive identity under no-message attack ◮ C generates key-pair ( mpk , msk ) and passes mpk to A . ◮ Extract Queries, Signature Queries ◮ Forgery: A wins if m by ˆ ◮ ˆ σ is a valid signature on ˆ id . ◮ A has not made an extract query on ˆ id . ◮ A has not made a signature query on ( ˆ id , ˆ m ). ◮ Adversary’s advantage in the game: � � $ − A O { s ,ε } ( mpk ) $ σ, ˆ σ, ˆ Pr 1 ← V (ˆ id , ˆ m , mpk ) | ( msk , mpk ) ← − G ( κ ); (ˆ id , ˆ m ) ←

  17. Galindo-Garcia Identity-Based Signature Revisited. Formal Definitions Security Models for PKS and IBS Hardness Assumption: Discrete-log Assumption Discrete-log problem for a group G = � g � and | G | = p ( G , g , p , g α ) DLP DLP C A α

  18. Galindo-Garcia Identity-Based Signature Revisited. Formal Definitions Security Models for PKS and IBS Hardness Assumption: Discrete-log Assumption Discrete-log problem for a group G = � g � and | G | = p ( G , g , p , g α ) DLP DLP C A α Definition. The DLP in G is to find α given g α , where α ∈ R Z p . An adversary A has advantage ǫ in solving the DLP if α ′ = α | α ∈ R Z p ; α ′ ← A ( G , p , g , g α ) � � Pr ≥ ǫ. The ( ǫ, t )-discrete-log assumption holds in G if no adversary has advantage at least ǫ in solving the DLP in time at most t .

  19. Galindo-Garcia Identity-Based Signature Revisited. Galindo-Garcia IBS GALINDO-GARCIA IBS

  20. Galindo-Garcia Identity-Based Signature Revisited. Galindo-Garcia IBS Salient Features Galindo-Garcia IBS - Salient Features ◮ Derived from Schnorr signature scheme ◮ Based on the discrete-log assumption ◮ Efficient, simple and does not use pairing ◮ Security argued using oracle replay attacks ◮ Uses the random oracle heuristic

  21. Galindo-Garcia Identity-Based Signature Revisited. Galindo-Garcia IBS Schnorr Signature and the Oracle Replay Attack SCHNORR SIGNATURE AND THE ORACLE REPLAY ATTACK

  22. Galindo-Garcia Identity-Based Signature Revisited. Galindo-Garcia IBS Schnorr Signature and the Oracle Replay Attack Schnorr Signature The Setting. 1. We work in group G = � g � of prime order p . 2. A hash function H : { 0 , 1 } ∗ → Z p is used. Key Generation. K ( κ ): 1. Select z ∈ R Z p as the secret key sk 2. Set Z := g z as the public key pk Signing. S ( m , sk ): 1. Let sk = z . Select r ∈ R Z p , set R := g r and c := H( m , R ). 2. The signature on m is σ := ( y , R ) where y := r + zc Verification. V ( σ, m ): 1. Let σ = ( y , R ) and c = H( m , R ). 2. σ is valid if g y = RZ c

  23. Galindo-Garcia Identity-Based Signature Revisited. Galindo-Garcia IBS Schnorr Signature and the Oracle Replay Attack Security of Schnorr Signature–An Intuition ◮ Consider an adversary A with ability to launch chosen-message attack on the Schnorr signature scheme. ◮ Let { σ 0 , . . . , σ n − 1 } with σ i = ( y i = r i + zc i , R i ) on m i be the signatures that A receives.   r 0       1 0 · · · 0 c 0 y 0      r 1          0 1 · · · 0 c 1 y 1       .    .    × = .       . . . . . ... . . . . .       . . . . .             r n − 1       0 0 · · · 1   c n − 1 r n − 1   z

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Constructing Provably-Secure Identity-Based Signature Schemes Chethan Kamath Indian Institute of

Constructing Provably-Secure Identity-Based Signature Schemes Chethan Kamath Indian Institute of

Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Constructing Provably-Secure Identity-Based Signature Schemes Chethan Kamath Indian Institute of Science, Bangalore November 23, 2013 Overview Background

1.76k views • 77 slides
Key Escrow free Identity-based Identity-based Cryptosystem Cryptosystem Identity-based

Key Escrow free Identity-based Identity-based Cryptosystem Cryptosystem Identity-based

Contents Background Key Escrow free Identity-based Identity-based Cryptosystem Cryptosystem Identity-based Signature Conclusion Manik Lal Das DA-IICT, Gandhinagar, India About DA-IICT and Our Group DA-IICT is a private university,

563 views • 35 slides
Identity Based Ring Signature Why, How, and What Next Sherman S.M. Chow Richard W.C. Lui Lucas

Identity Based Ring Signature Why, How, and What Next Sherman S.M. Chow Richard W.C. Lui Lucas

Identity Based Ring Signature Why, How, and What Next Sherman S.M. Chow Richard W.C. Lui Lucas C.K. Hui S.M. Yiu The University of Hong Kong Outline Introduction PKI vs ID-based Ring Signatures Technical Preliminaries

1.81k views • 29 slides
Distributed Identity Based Short Linkable Ring Signature Kasra EdalatNejad Prof. Bryan Ford

Distributed Identity Based Short Linkable Ring Signature Kasra EdalatNejad Prof. Bryan Ford

Distributed Identity Based Short Linkable Ring Signature Kasra EdalatNejad Prof. Bryan Ford DEcentralized and DIstributed Systems Goal Anonymity Accountability Usability 2 Ring Signature Anonymous Spontaneous 3 Linkable Ring

372 views • 24 slides
Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse) Detection Intrusion Detection Host-based Network-based Boriana Ditcheva and Lisa Fowler Active/Passive University of North Carolina at

401 views • 12 slides
Securing WSNs and the IoT: Performance Analysis of Identity-based Signatures Tobias Markmann

Securing WSNs and the IoT: Performance Analysis of Identity-based Signatures Tobias Markmann

Securing WSNs and the IoT: Performance Analysis of Identity-based Signatures Tobias Markmann tobias.markmann@haw-hamburg.de 23.04.2014 Outline 1. Introduction 2. Background 3. Identity-based Signature Schemes 4. Evaluation 5. Results 6.

1.06k views • 35 slides
Practical Implementation of Ring-SIS/LWE based Signature and IBE Pauline Bert, Pierre-Alain

Practical Implementation of Ring-SIS/LWE based Signature and IBE Pauline Bert, Pierre-Alain

Practical Implementation of Ring-SIS/LWE based Signature and IBE Pauline Bert, Pierre-Alain Fouque, Adeline Roux-Langlois, and Mohamed Sabt PQCrypto 2018, April 11 Univ Rennes, CNRS, IRISA 1 Identity Based Encryption Private Key Generator E

754 views • 23 slides
Week 07 Lectures Signature-based Selection Indexing with Signatures 2/103 Signature-based

Week 07 Lectures Signature-based Selection Indexing with Signatures 2/103 Signature-based

Week 07 Lectures Signature-based Selection Indexing with Signatures 2/103 Signature-based indexing: designed for pmr queries (conjunction of equalities) does not try to achieve better than O(n) performance attempts to provide an

859 views • 27 slides
A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for IT-Security Africacrypt 2010 1 / 13 RSA-Based Signature Schemes Na ve RSA signature scheme not secure under the standard definition of

647 views • 51 slides
Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature 1 Signature 2 Signature 2 http://comm ons.wikime dia.org/wiki/ File:Piasnic a- Signature 3 Signature 3 wodowskaz -0.jpg Ida Westerberg 1,2

388 views • 19 slides
Generation of DSL Tools based on Language Definitions Miguel Garcia

Generation of DSL Tools based on Language Definitions Miguel Garcia

Generation of DSL Tools based on Language Definitions Miguel Garcia http://www.sts.tu-harburg.de/~mi.garcia 2007-03-29 Miguel Garcia STS TUHH Agenda What it means Language Definition of a DSL Existing prototypes What

369 views • 12 slides
Identity-Based Cryptosystems and Quadratic Residuosity Marc Joye Proxy: Fabrice Benhamouda PKC

Identity-Based Cryptosystems and Quadratic Residuosity Marc Joye Proxy: Fabrice Benhamouda PKC

Identity-Based Encryption Cocks IBE Scheme Algebraic Structure Applications Conclusion Identity-Based Cryptosystems and Quadratic Residuosity Marc Joye Proxy: Fabrice Benhamouda PKC 2016 Tapei, Taiwan 1 / 20 Identity-Based Encryption

655 views • 38 slides
Analysis of a Proposed Hash- Based Signature Standard Jonathan Katz Motivation and background

Analysis of a Proposed Hash- Based Signature Standard Jonathan Katz Motivation and background

Analysis of a Proposed Hash- Based Signature Standard Jonathan Katz Motivation and background Recent interest in standardization of post- quantum public-key primitives For signature schemes, several proposals based on

383 views • 24 slides
ratification and signature Signature vs ratification Signature formal expression of intent to

ratification and signature Signature vs ratification Signature formal expression of intent to

Steps and technical modalities to follow for the deposit of the instrument of ratification and signature Signature vs ratification Signature formal expression of intent to be bound, but no legal obligation yet: however, a State is

585 views • 10 slides
Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital

Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital

Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital Signature Digital Signature And Hash Function Biometric Signature Electronic Signature Act ROC, 2002/04/01,

299 views • 13 slides
Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software

Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software

The signature The countermeasure and its proof Performances Future work Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software Institute) Sonia Belad (CryptoExperts) Thomas Espitau (UPMC) Pierre-Alain

1.04k views • 51 slides
Bunched Beam Cooling for Hadron Colliders Valeri Lebedev & Sergei Nagaitsev Fermilab

Bunched Beam Cooling for Hadron Colliders Valeri Lebedev & Sergei Nagaitsev Fermilab

Bunched Beam Cooling for Hadron Colliders Valeri Lebedev & Sergei Nagaitsev Fermilab APS-DPF meeting July 31 - August 4, 2017 Fermilab, Batavia, IL Talk Objectives Beam cooling at collision energies is required for future hadron

671 views • 22 slides
From Selective-ID to Full-ID IBS without Random Oracles Sanjit Chatterjee and Chethan Kamath

From Selective-ID to Full-ID IBS without Random Oracles Sanjit Chatterjee and Chethan Kamath

Overview Background The Transformation Conclusion and Future Work From Selective-ID to Full-ID IBS without Random Oracles Sanjit Chatterjee and Chethan Kamath Indian Institute of Science, Bangalore November 3, 2013 Overview Background The

1.34k views • 44 slides
DTTF/NB479: Dszquphsbqiz Day 17 Announcements: DES due Thursday. Careful with putting it

DTTF/NB479: Dszquphsbqiz Day 17 Announcements: DES due Thursday. Careful with putting it

DTTF/NB479: Dszquphsbqiz Day 17 Announcements: DES due Thursday. Careful with putting it off since Ch 3 test Friday too. Today: Finish GF(2 8 ) Rijndael Questions? AES (Rijndael) The S-boxes, round keys, and MixColumn

611 views • 13 slides
INTRABEAM SCA INTRABEAM SCATTERING TTERING M. Martini (CERN) Part 1 : Part 1 : Elements of

INTRABEAM SCA INTRABEAM SCATTERING TTERING M. Martini (CERN) Part 1 : Part 1 : Elements of

INTRABEAM SCA INTRABEAM SCATTERING TTERING M. Martini (CERN) Part 1 : Part 1 : Elements of kinetic Elements of kinetic Prolog Prolog Lagrangian Lagrangian and Hamiltonian (briefly) and Hamiltonian (briefly) Liouville

703 views • 67 slides
GLOBE. WE ARE THE U.S. ARMY SERVICE COMPONENT COMMAND OF THE U.S. TRANSPORTATION COMMAND A N D A

GLOBE. WE ARE THE U.S. ARMY SERVICE COMPONENT COMMAND OF THE U.S. TRANSPORTATION COMMAND A N D A

UNCLASSIFIED M I L I TA RY S U R FAC E D E P L OY M E N T & D I S T R I BU T I O N C O M M A N D MILITA RY S U R FAC E DE P LOYME NT & D I S TR I BU TION CO MMA N D SDDC Systems S D D C M O V E S Mr. Christopher Heiby A N D S U S T A

291 views • 15 slides
Cycle Jerry Backer (1) , David Hly (2) and Ramesh Karri (1) Polytechnic School of Engineering,

Cycle Jerry Backer (1) , David Hly (2) and Ramesh Karri (1) Polytechnic School of Engineering,

SoC Security Through the Life Cycle Jerry Backer (1) , David Hly (2) and Ramesh Karri (1) Polytechnic School of Engineering, New York University Universit Grenoble Alpes, LCIS, Valence 1 Agenda Introduction SoC lifecycle Test

1.07k views • 61 slides
Recent Performance Analysis with Memphis Collin McCurdy Future Technologies Group Motivation

Recent Performance Analysis with Memphis Collin McCurdy Future Technologies Group Motivation

Recent Performance Analysis with Memphis Collin McCurdy Future Technologies Group Motivation Current projections call for each chip in an Exascale system to contain 100s to 1000s of processing cores Already (~10 cores/chip) memory

884 views • 22 slides
Market Microstructure Invariants Albert S. Kyle and Anna A. Obizhaeva University of Maryland

Market Microstructure Invariants Albert S. Kyle and Anna A. Obizhaeva University of Maryland

Market Microstructure Invariants Albert S. Kyle and Anna A. Obizhaeva University of Maryland Fields Institute Toronto, Canada March 27, 2013 Kyle and Obizhaeva Market Microstructure Invariance 1/64 Overview Our goal is to explain how order

1.07k views • 64 slides

More recommend