generic homomorphic undeniable signatures
play

Generic Homomorphic Undeniable Signatures J. Monnerat S. Vaudenay - PowerPoint PPT Presentation

Oct 13, 2022 •11 likes •321 views

Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Generic Homomorphic Undeniable Signatures J. Monnerat S. Vaudenay COLE POLYTECHNIQUE FDRALE DE LAUSANNE Asiacrypt 04 - December 8, 2004 J. Monnerat,

  1. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Generic Homomorphic Undeniable Signatures J. Monnerat S. Vaudenay ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE Asiacrypt ’04 - December 8, 2004 J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  2. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Outline Introduction 1 Interpolation of Group Homomorphisms 2 Our Signature Scheme 3 Conclusion 4 J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  3. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Introduction J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  4. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Undeniable Signature (1) Properties: Public key algorithm Binding some information or a document with an entity Verifiable only with the cooperation of the signer Non repudiation property still holds! J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  5. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Undeniable Signature (2) Public Key K P Setup Secret Key K S Confirmation Protocol Verifier Signature Prover Denial Protocol Σ Σ m Σ m m Message m m J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  6. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Related Work Undeniable Signatures , Chaum and van Antwerpen, Crypto’89. Zero-knowledge Undeniable Signatures , Chaum, Eurocrypt ’90. New Convertible Undeniable Signatures , Dåmgard and Pedersen, Eurocrypt ’96. RSA-Based Undeniable Signatures , Gennaro, Rabin and Krawczyk, Crypto ’97. Identity Based Undeniable Signatures , Libert and Quisquater, CT-RSA ’04. Undeniable Signatures Based on Characters , Monnerat and Vaudenay, PKC ’04. (MOVA Scheme) J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  7. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Interpolation of Group Homomorphisms J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  8. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Interpolation Problems GHI Problem (Group Homomorphism Interpolation Problem) Parameters: two Abelian groups G and H , a set of s points S ⊆ G × H . Input: x ∈ G . Problem: find y ∈ H such that S ∪ { ( x, y ) } interpolates in a group homomorphism i.e., for S = { ( x 1 , y 1 ) , . . . , ( x s , y s ) } there exists a group homomorphism Hom such that Hom( x i ) = y i , i = 1 , . . . , s and Hom( x ) = y . GHID Problem (Group Homomorphism Interpolation Decisional Problem) Parameters: two Abelian groups G and H , a set of s points S ⊆ G × H . Input: ( x, y ) ∈ G × H . Problem: does S ∪ { ( x, y ) } interpolate in a group homomorphism? J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  9. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Geometrical Interpretation Homomorphism Set of points S GHI Input y 1 y y s y 2 x 1 x 2 x x s J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  10. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Relation to Well-known Problems DLP. G := < g > cyclic group of order q , H := Z q . S = { ( g, 1) } interpolates in a unique homomorphism, namely the discrete logarithm w.r.t. g . RSA. Let n = pq be a RSA modulus, e ∈ Z ∗ ϕ ( n ) the encryption exponent and G = H = Z ∗ n . Let S := { ( x e i mod n, x i ) i =1 ,...,s } such that the first coordinates generate Z ∗ n . The RSA decryption problem corresponds to the GHIP . Other examples such as, the quadratic residuosity problem, Diffie-Hellman problem, bilinear Diffie-Hellman problem, MOVA problem, . . . J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  11. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Proof of Interpolation Let d := # H . GHIproof ( { ( x j , y j ); j = 1 , . . . , J } ) with parameter I Prover Verifier pick r i ∈ G , a i,j ∈ Z d u i = dr i + � j a i,j x j u ← − − − − − − − − − − − − − − w i = � j a i,j y j commit( v ) − − − − − − − − − − − − − − → v i = Hom( u i ) r,a check u ← − − − − − − − − − − − − − − open( v ) − − − − − − − − − − − − − − → check commitment, v = w J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  12. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Security of GHIproof The GHIproof I ( S ) protocol satisfies the following properties: Completeness. The protocol always succeeds when the prover and the verifier follow the protocol. Zero-knowledge The protocol is perfectly black-box zero-knowledge. Proof of membership. If the protocol succeeds, then S interpolates in a group homomorphism. Proof of knowledge. If the protocol succeeds, there exists an extractor which computes an interpolating homomorphism. J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  13. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Proof of Non-Interpolation Let p be the smallest prime factor of d = # H . ` ´ coGHIproof { ( x j , y j ); j = 1 , . . . , J } , { ( x ′ k , z k ); k = 1 , . . . , K } with parameter I Prover Verifier pick r i,k ∈ G , a i,j,k ∈ Z d , λ i ∈ Z p j a i,j,k x j + λ i x ′ u i,k = dr i,k + P k w i,k = P j a i,j,k y j + λ i z k u,w compute v i,k = Hom( u i,k ) ← − − − − − − − − deduce λ i from commit( λ ) w i,k − v i,k = λ i ( z k − Hom( x ′ k )) − − − − − − − − → r,a check u, w ← − − − − − − − − open( λ ) − − − − − − − − → check commitment, λ J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  14. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Uniqueness of the Homomorphism Theorem Let G , H be two finite Abelian groups. We denote d the order of H . Let x 1 , . . . , x s ∈ G which span G ′ . The following properties are equivalent. In this case, we say that x 1 , . . . , x s H -generate G . For all y 1 , . . . , y s ∈ H , there exists at most one group 1 homomorphism Hom : G − → H such that Hom( x i ) = y i for all i = 1 , . . . s . G ′ + dG = G . 2 J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  15. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Our Signature Scheme J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  16. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Using Group Homomorphisms in Cryptography DL-based cryptography y = g x fixed homomorphism secret input − − − − − − − − − − − − − − − − − − − − − − − − → public key Our approach y = Hom( x ) secret homomorphism − − − − − − − − − − − − − − − − − − − − − − − − → fixed input public key J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  17. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Basic Description Setup Select two groups Xgroup and Ygroup ( Ygroup small) Select a secret group homomorphism Hom : Xgroup − → Ygroup Select some base points to characterize Hom Signature Generate some x i ’s from the message Compute the group homomorphism on the x i ’s Verification: prove/disprove the interpolation J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  18. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Geometrical Interpretation Homomorphism Base points Signature points y 2 y 1 x 2 x 1 J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  19. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Setups without Validation Setup Variant 1. The signer selects Abelian groups Xgroup , Ygroup and an homomorphism Hom . He computes the order d of Ygroup . He then picks a random string SeedK and computes the Lkey first values Xkey j from Gen 1 (SeedK) and Ykey j = Hom(Xkey j ) , j = 1 , . . . , Lkey . Setup Variant 2. (signer with a Registration Authority) The role of RA consists of making sure that a key was randomly selected. This works similarly as the variant 1 except that RA picks SeedK at random after the signer have sent his identity Id . The RA sends SeedK with a signature C for (Id , Xgroup , Ygroup , d, SeedK) . J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  20. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Signature Generation Let M be a message to be signed. Compute Gen 2 ( M ) → (Xsig 1 , . . . , Xsig Lsig ) Compute Ysig 1 = Hom(Xsig 1 ) , . . . , Ysig Lsig = Hom(Xsig Lsig ) The signature is [Ysig 1 , . . . , Ysig Lsig ] J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption Russell W. F. Lai 1,2 ,

Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption Russell W. F. Lai 1,2 ,

Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption Russell W. F. Lai 1,2 , Raymond K. H. Tai 2 , Harry W. H. Wong 2 , Sherman S. M. Chow 2 1 Friedrich-Alexander University Erlangen-Nuremberg 2 Chinese University of Hong Kong

618 views • 59 slides
Linearly-Homomorphic Signatures and Scalable Mix-Nets Chlo Hbant, Duong Hieu Phan and David

Linearly-Homomorphic Signatures and Scalable Mix-Nets Chlo Hbant, Duong Hieu Phan and David

Linearly-Homomorphic Signatures and Scalable Mix-Nets Chlo Hbant, Duong Hieu Phan and David Pointcheval Outline 1. Mix-Nets in drawings 2. Building blocks 3. Spirit of our scheme 4. Difficulties 2 Mix-Net 3 Mix-Net 3 Mix-Net 3

600 views • 44 slides
From Identification to Signatures, Tightly: A Framework and Generic Transforms Mihir Bellare,

From Identification to Signatures, Tightly: A Framework and Generic Transforms Mihir Bellare,

From Identification to Signatures, Tightly: A Framework and Generic Transforms Mihir Bellare, Bertram Poettering , Douglas Stebila UCSD / Ruhr University Bochum / McMaster ASIACRYPT 2016, Hanoi December 6, 2016 Signature schemes In a nutshell

647 views • 23 slides
Fully Homomorphic Encryption Francisco Vial-Prado ASCrypto - LatinCrypt 19 IMFD Chile, Ecole

Fully Homomorphic Encryption Francisco Vial-Prado ASCrypto - LatinCrypt 19 IMFD Chile, Ecole

Fully Homomorphic Encryption Francisco Vial-Prado ASCrypto - LatinCrypt 19 IMFD Chile, Ecole Polytechnique, Universit e Paris-Saclay Applied Cryptography @ ProtonMail Generic homomorphic encryption Gentrys blueprint Second generation

1.07k views • 63 slides
Homomorphic Encryption Lecture 18 And some applications Homomorphic Encryption Homomorphic

Homomorphic Encryption Lecture 18 And some applications Homomorphic Encryption Homomorphic

Homomorphic Encryption Lecture 18 And some applications Homomorphic Encryption Homomorphic Encryption Group Homomorphism: Two groups G and G are homomorphic if there exists a function (homomorphism) f:G G such that for all x,y G,

1.79k views • 165 slides
Homomorphic Secret Sharing Ele2e Boyle Niv Gilboa Yuval Ishai IDC BGU

Homomorphic Secret Sharing Ele2e Boyle Niv Gilboa Yuval Ishai IDC BGU

Homomorphic Secret Sharing Ele2e Boyle Niv Gilboa Yuval Ishai IDC BGU Technion &amp; UCLA PrimiLves AssumpLons 1970 PKE 1980 Signatures ZK OT Factoring Discrete Log 1990 Secure ComputaLon 2000

1.12k views • 64 slides
Building Applications with Homomorphic Encryption A Presentation from the Homomorphic Encryption

Building Applications with Homomorphic Encryption A Presentation from the Homomorphic Encryption

Building Applications with Homomorphic Encryption A Presentation from the Homomorphic Encryption Standardization Consortium HomomorphicEncryption.org 0.1 Presenters Roger A. Hallman (SPAWAR Systems Center Pacific; Thayer School of

1.36k views • 91 slides
Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties Signatures Signatures with various functionality/properties Constructions come in different flavors (well sample each flavor): Signatures

1.55k views • 131 slides
Stamp &amp; Extend - Instant but Undeniable electronic time stamp Timestamping based on

Stamp &amp; Extend - Instant but Undeniable electronic time stamp Timestamping based on

Krzywiecki, Kubiak, Kutyowski Importance of Stamp &amp; Extend - Instant but Undeniable electronic time stamp Timestamping based on Lazy Trees Possible solutions Trusted services Undeniable timestamping ukasz Krzywiecki,

668 views • 52 slides
Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And Putting It All Together Lecture 12 Digital Signatures Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s,

1.72k views • 142 slides
1 Definition of a simple generic class Why generic programming (cont.) class Pair &lt;T&gt; {

1 Definition of a simple generic class Why generic programming (cont.) class Pair &lt;T&gt; {

Topics background and goals of generic programming basics of generic classes = parameterized types generic methods for general algorithms inheritance rules for generic types Generic programming in Java bounded type parameters

261 views • 5 slides
Homomorphic Secret Sharing II Homomorphic Secret Sharing for Branching Programs Under DDH Ele:e

Homomorphic Secret Sharing II Homomorphic Secret Sharing for Branching Programs Under DDH Ele:e

Homomorphic Secret Sharing II Homomorphic Secret Sharing for Branching Programs Under DDH Ele:e Boyle Niv Gilboa Yuval Ishai IDC BGU Technion &amp; UCLA Secure ComputaGon Approaches Classical

342 views • 33 slides
Homomorphic SIM 2 D operations: Single Instruction Much More Data Wouter Castryck Ilia

Homomorphic SIM 2 D operations: Single Instruction Much More Data Wouter Castryck Ilia

Homomorphic SIM 2 D operations: Single Instruction Much More Data Wouter Castryck Ilia Iliashenko Frederik Vercauteren Homomorphic encryption cryp 175.2 {#*| Homomorphic encoding real-world data plaintext ciphertext

512 views • 40 slides
Homomorphic Secret Sharing &amp; Applications from Lattice-Based Assumptions Elette Boyle Many

Homomorphic Secret Sharing &amp; Applications from Lattice-Based Assumptions Elette Boyle Many

Homomorphic Secret Sharing &amp; Applications from Lattice-Based Assumptions Elette Boyle Many slides taken/adapted from Geoffroy Couteau, Lisa Kohl, &amp; Peter Scholl Fully Homomorphic Encryption (FHE) Supports homomorphic

791 views • 40 slides
Parameters for Homomorphic Encryption Kim Laine and Kristin Lauter University of California,

Parameters for Homomorphic Encryption Kim Laine and Kristin Lauter University of California,

Parameters for Homomorphic Encryption Kim Laine and Kristin Lauter University of California, Berkeley and Microsoft Research September 3, 2015 Homomorphic Encryption Homomorphic Encryption Consider a public key cryptosystem, and operations

777 views • 35 slides
Divine Intervention: Undeniable, But What Difference does it Make? by Douglas R McGaughey is

Divine Intervention: Undeniable, But What Difference does it Make? by Douglas R McGaughey is

Divine Intervention: Undeniable, But What Difference does it Make? by Douglas R McGaughey is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. Presented at St. Annes College, Oxford July 16, 2014

564 views • 10 slides
that? The values that drive medical education scholarship and research AMEE Webinar, 10 May 2017

that? The values that drive medical education scholarship and research AMEE Webinar, 10 May 2017

Why do you care about that? The values that drive medical education scholarship and research AMEE Webinar, 10 May 2017 Ayelet Kuper MD DPhil &amp; Cynthia Whitehead MD PhD The Wilson Centre, University of Toronto Objectives By the end of

753 views • 43 slides
Flocking with GA/PSO SI Course Project Yvan Bidiville &amp; Thomas Thurnherr The Goal

Flocking with GA/PSO SI Course Project Yvan Bidiville &amp; Thomas Thurnherr The Goal

Flocking with GA/PSO SI Course Project Yvan Bidiville &amp; Thomas Thurnherr The Goal Evolve a controller for robots to move as flock. Explore the effectiveness of GA and PSO, with both homogeneous and heterogeneous learning. The

246 views • 9 slides
Space weather impacts and predictions: relevant spatial and temporal scales Pulkkinen, A. NASA

Space weather impacts and predictions: relevant spatial and temporal scales Pulkkinen, A. NASA

Space weather impacts and predictions: relevant spatial and temporal scales Pulkkinen, A. NASA Goddard Space Flight Center Heliophysics Science Division 1 Contents Identification of end-user needs (and the spatiotemporal context).

403 views • 18 slides
Mobile crowdsensing of parking space using geofencing and activity recognition Mikko Rinne and

Mobile crowdsensing of parking space using geofencing and activity recognition Mikko Rinne and

Mobile crowdsensing of parking space using geofencing and activity recognition Mikko Rinne and Seppo Trm Aalto University Three Methods of Gathering Parking Status Informa7on 1. Infrastructure sensors

417 views • 10 slides
Locally constrained homomorphisms on graphs of bounded treewidth and bounded degree Steven

Locally constrained homomorphisms on graphs of bounded treewidth and bounded degree Steven

Locally constrained homomorphisms on graphs of bounded treewidth and bounded degree Steven Chaplick 1 , Ji Fiala 1 , Pim van t Hof 2 , r el Paulusma 3 , Marek Tesa r 1 Dani 1 Charles University, Czech Republic 2 University of

177 views • 17 slides
t rs sr

t rs sr

t rs sr s rr P

314 views • 19 slides
Semigroups of Left I-quotients Nassraddin Ghroda May 11, 2010 Semigroups of Left I-quotients

Semigroups of Left I-quotients Nassraddin Ghroda May 11, 2010 Semigroups of Left I-quotients

Semigroups of Left I-quotients Semigroups of Left I-quotients Nassraddin Ghroda May 11, 2010 Semigroups of Left I-quotients Outline Background 1 Inverse hull of left I-quotients of left ample semigroups 2 Extension of homomorphisms 3

794 views • 44 slides
Downtown Parking Study Committee Meeting Guiding Principles April 2, 2019 Hood River City Hall

Downtown Parking Study Committee Meeting Guiding Principles April 2, 2019 Hood River City Hall

Downtown Parking Study Committee Meeting Guiding Principles April 2, 2019 Hood River City Hall + Assessing Parking Demand 1 Agenda 1. Introductions 2. Approve Meeting #1 Notes Owen Ronchelli 3. Review Meeting &amp; Outreach Schedule

478 views • 19 slides

More recommend