group signatures with almost for free revocation
play

Group Signatures with Almost-for-free Revocation t Libert 1 Thomas - PowerPoint PPT Presentation

Jan 09, 2023 •397 likes •605 views

Group Signatures with Almost-for-free Revocation t Libert 1 Thomas Peters 1 Moti Yung 2 Beno 1 Universit e catholique de Louvain, Crypto Group (Belgium) 2 - Google Inc. and Columbia University (USA) Santa Barbara, August 22, 2012 UCL

  1. Group Signatures with Almost-for-free Revocation ıt Libert 1 Thomas Peters 1 Moti Yung 2 Benoˆ 1 Universit´ e catholique de Louvain, Crypto Group (Belgium) 2 - Google Inc. and Columbia University (USA) Santa Barbara, August 22, 2012 UCL Crypto Group Group Signatures - Crypto 2012 1 Microelectronics Laboratory

  2. Outline 1. Introduction Background and Prior Work The Revocation Problem 2. NNL-Based Revocation in Group Signatures Description and Efficiency Analysis 3. Our Contribution: Construction with Short Private Keys Overview of the Scheme Efficiency and Security Analysis UCL Crypto Group Group Signatures - Crypto 2012 2 Microelectronics Laboratory

  3. Group Signatures Group members anonymously and accountably sign messages on behalf of a group (Chaum-Van Heyst, 1991) Applications in trusted computing platforms, auction protocols, . . . UCL Crypto Group Group Signatures - Crypto 2012 3 Microelectronics Laboratory

  4. Security Properties Full anonymity of signatures ◮ Users’ signatures are anonymous and unlinkable Security against misidentification attacks ◮ Infeasibility of producing a signature which traces outside the set of unrevoked corrupted users Non-frameability of a group signature ◮ Infeasibility of claiming falsely that a member produced a given signature UCL Crypto Group Group Signatures - Crypto 2012 4 Microelectronics Laboratory

  5. Group Signatures Chaum-van Heyst (Eurocrypt’91): introduction of the primitive Ateniese-Camenisch-Joye-Tsudik (Crypto’00): a scalable coalition-resistant construction. . . but analyzed w.r.t. a list of security requirements Bellare-Micciancio-Warinschi (Eurocrypt’03): security model; construction based on general assumptions Bellare-Shi-Zhang (CT-RSA’05), Kiayias-Yung (J. of Security and Networks 2006): extensions to dynamic groups Boyen-Waters (Eurocrypt’06 - PKC’07), Groth (Asiacrypt’06 -’07): in the standard model UCL Crypto Group Group Signatures - Crypto 2012 5 Microelectronics Laboratory

  6. Revocation in Group Signatures Trivial approach: O ( N − r ) cost for the GM at each revocation Bresson-Stern (PKC’01): signature size and signing cost in O ( r ) Brickell and Boneh-Shacham (CCS’04): verifier-local revocations, linear verification in O ( r ) Nakanishi-Fuji-Hira-Funabiki (PKC’09): O (1)-cost signing and verification time but O ( N )-size group public keys Camenisch-Lysyanskaya (Crypto’02): based on accumulators, optimal asymptotic efficiency but requires users ◮ To update their credentials at every revocation ◮ To know of all changes in the population of the group UCL Crypto Group Group Signatures - Crypto 2012 6 Microelectronics Laboratory

  7. Current Situation So far, despite 20 years of research: No system has a mechanism where the revocation is truly scalable (contrast with CRLs in regular signatures) Situation is only worse in schemes in the standard model (e.g., accumulator-based approaches do not always scale well) Recent approach (Libert-Peters-Yung; Eurocrypt 2012): Revocation mechanism based on broadcast encryption Starts from a revocation structure and adapt it (algebraically) in the group signature scenario UCL Crypto Group Group Signatures - Crypto 2012 7 Microelectronics Laboratory

  8. NNL-Based Revocation in Group Signatures Features of our approach (Eurocrypt’12) History-independent revocation / verification Provable in the standard model ( i.e. , no random oracle ) Efficiency: Signature size / Verification cost in O (1) Revocation list of size O ( r ) as in standard PKIs At most O ( polylog N ) complexity elsewhere Disadvantage : membership certificates of size O (log 3 N ) UCL Crypto Group Group Signatures - Crypto 2012 8 Microelectronics Laboratory

  9. NNL-Based Revocation in Group Signatures Using the Naor-Naor-Lotspiech framework (Crypto’01): Broadcast (symmetric) encryption / revocation Users are assigned to a leaf Subset Cover: find a cover S 1 , . . . , S m of the unrevoked set N\R and compute an encryption for each S i UCL Crypto Group Group Signatures - Crypto 2012 9 Microelectronics Laboratory

  10. NNL-Based Revocation in Group Signatures Subset Difference (SD) method: each S i is the difference between two subtrees; m = O ( r ) subsets are needed in the partition Public-key variant of NNL (Dodis-Fazio, DRM’02) ◮ SD method uses Hierarchical Identity-Based Encryption (HIBE) ◮ O ( r )-size ciphertexts and O (log 3 N ) private keys ◮ Improvements (Halevy-Shamir, Crypto’02) give O (log 2+ ǫ N )-size keys UCL Crypto Group Group Signatures - Crypto 2012 10 Microelectronics Laboratory

  11. NNL-Based Revocation in Group Signatures Broadcast encryption ciphertext is turned into a revocation list RL ⇒ RL is a set of HIBE ciphertexts C 1 , . . . , C m Signer shows the ability to decrypt one of these HIBE ciphertexts Proof that he can decrypt a committed C i , which is in the RL Can be achieved with O (1)-size signatures UCL Crypto Group Group Signatures - Crypto 2012 11 Microelectronics Laboratory

  12. NNL-Based Revocation in Group Signatures Using HIBE and the public-key NNL entails membership certificates of size O (log 3 N ). ⇒ Important overhead w.r.t. schemes without revocation and ordinary signatures e.g. , for N = 1000, private keys may contain > 1000 elements This paper : getting competitive with ordinary group signatures - O (1)-size membership certificates in the NNL framework - Carrying out all operations in constant time How is it possible? O (log N ) dependency seems inevitable with a tree-based approach. UCL Crypto Group Group Signatures - Crypto 2012 12 Microelectronics Laboratory

  13. Construction with Short Private Keys Uses concise vector commitments (Libert-Yung, TCC 2010): Constant-size commitments to ( m 1 , . . . , m ℓ ) that can be opened for individual coordinates i ∈ { 1 , . . . , ℓ } using short openings Commitments to vectors of dimension ℓ = log N are included in membership certificates Signatures prove properties about individual coordinates ⇒ Concise openings give us constant-size signatures The “essential” O (log N ) factor is pushed to the public key size only! UCL Crypto Group Group Signatures - Crypto 2012 13 Microelectronics Laboratory

  14. Construction with Short Private Keys Combination of the SD method and vector commitments Each member is assigned to a leaf v and obtains a signature on C where C = g I 1 ℓ · · · g I ℓ 1 is a commitment to the path I 1 , . . . , I ℓ to v RL encodes a cover { S 1 , . . . , S m } and specifies two node identifiers ( L j , i 1 , L j , i 2 ), with i 1 , i 2 ∈ { 1 , . . . , ℓ } , for each S j Unrevoked members prove their belonging to one of the S j ’s by proving that ( I 1 , . . . , I ℓ ) satisfies I i 1 = L j , i 1 and I i 2 � = L j , i 2 UCL Crypto Group Group Signatures - Crypto 2012 14 Microelectronics Laboratory

  15. Construction with Short Private Keys Combination of the SD method and vector commitments Each member is assigned to a leaf v and obtains a signature on C where C = g I 1 ℓ · · · g I ℓ 1 is a commitment to the path I 1 , . . . , I ℓ to v RL encodes a cover { S 1 , . . . , S m } and specifies two node identifiers ( L j , i 1 , L j , i 2 ), with i 1 , i 2 ∈ { 1 , . . . , ℓ } , for each S j Unrevoked members prove their belonging to one of the S j ’s by proving that ( I 1 , . . . , I ℓ ) satisfies I i 1 = L j , i 1 and I i 2 � = L j , i 2 UCL Crypto Group Group Signatures - Crypto 2012 14 Microelectronics Laboratory

  16. Efficiency Outcome Complexity is essentially optimal O (1)-size signatures and O (1) signing / verification time O ( r )-size revocation lists at each period as in standard PKIs O (log N )-size group public keys O (1)-size membership certificates Concrete signature length: 144 group elements, or about 9 kB at the 128-bit security level Only 3 times as long as Groth’s group signatures (Asiacrypt’07) UCL Crypto Group Group Signatures - Crypto 2012 15 Microelectronics Laboratory

  17. Security Security is proved under the same assumptions as in Eurocrypt’12 and an extra assumption (for q = O (log N )): The q -Flexible Diffie-Hellman Exponent Problem : given ( g , g 1 , . . . , g q , g q +2 , . . . , g 2 q ) with g i = g ( α i ) , find a non-trivial triple 2 q ) ∈ ( G \{ 1 G } ) 3 ( g µ , g µ q +1 , g µ At the expense of O (log 2 N )-size public keys, the Catalano-Fiore commitment allows using a weaker assumption: The Flexible Squared Diffie-Hellman Problem : given ( g , g a ), find a non-trivial triple ( g µ , g a · µ , g ( a 2 ) · µ ) ∈ ( G \{ 1 G } ) 3 . UCL Crypto Group Group Signatures - Crypto 2012 16 Microelectronics Laboratory

  18. Conclusion Revocable schemes are now competitive with ordinary group signatures: only overhead is a O (log N )-size group public key Our revocation approach Allows security proofs in the standard model Applies in other settings: traceable signatures, anonymous credentials, . . . Open problem: weakening the hardness assumptions without degrading the efficiency Alternative construction relies on weaker assumptions but has O (log 2 N )-size public keys. Can we avoid this? UCL Crypto Group Group Signatures - Crypto 2012 17 Microelectronics Laboratory

  19. Thanks! UCL Crypto Group Group Signatures - Crypto 2012 18 Microelectronics Laboratory

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Revocation Methods Explicit: CRL - Certificate Revocation List Sources: CRL-DP, indirect

Revocation Methods Explicit: CRL - Certificate Revocation List Sources: CRL-DP, indirect

Revocation Methods Explicit: CRL - Certificate Revocation List Sources: CRL-DP, indirect CRL, dynamic CRL-DP Delta-CRL, windowed CRL, etc. Certificate Revocation Tree (CRT) and other Authenticated Data Structures OCSP

745 views • 35 slides
Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties Signatures Signatures with various functionality/properties Constructions come in different flavors (well sample each flavor): Signatures

1.55k views • 131 slides
Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And Putting It All Together Lecture 12 Digital Signatures Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s,

1.72k views • 142 slides
Recommendation Overview KNOWLEDGE ACADEMIES REVOCATION APPEALS OCTOBER 28, 2019 Statutory Charge

Recommendation Overview KNOWLEDGE ACADEMIES REVOCATION APPEALS OCTOBER 28, 2019 Statutory Charge

Recommendation Overview KNOWLEDGE ACADEMIES REVOCATION APPEALS OCTOBER 28, 2019 Statutory Charge REVOCATIONS AND REVOCATION APPEALS The Revocation Decision Pursuant to T.C.A. 49-13-122(b), a charter school authorizer may revoke a

386 views • 35 slides
Lets Revoke Public key infrastructure prevents Man-in-the-Middle attacks Revocation protects

Lets Revoke Public key infrastructure prevents Man-in-the-Middle attacks Revocation protects

Lets Revoke Public key infrastructure prevents Man-in-the-Middle attacks Revocation protects clients from compromised certificates Without revocation, these attacks would go undetected 2 Certificate Revocation Lists (CRLs) Lists of

544 views • 27 slides
Efficient, Scalable, and Resilient Vehicle-Centric Certificate Revocation List Distribution in

Efficient, Scalable, and Resilient Vehicle-Centric Certificate Revocation List Distribution in

Efficient, Scalable, and Resilient Vehicle-Centric Certificate Revocation List Distribution in VANETs Mohammad Khodaei and Panos Papadimitratos Networked Systems Security Group (NSS) www.ee.kth.se/nss Royal Institute of Technology (KTH)

700 views • 35 slides
Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Motivation Research Question Results Conclusion Notes Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from Standard Signatures Siamak Shahandashti 1 Rei Safavi-Naini 2 1 SCSSE & CCISR, Uni

465 views • 46 slides
1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Digital Signatures have looked at message authentication but does not address issues of lack of trust Chapter 13 Digital Signatures digital signatures provide the ability to:

361 views • 3 slides
Digital / Electronic Signatures PET Workshop 2003 Dresden Henry Krasemann ICPP

Digital / Electronic Signatures PET Workshop 2003 Dresden Henry Krasemann ICPP

Digital / Electronic Signatures PET Workshop 2003 Dresden Henry Krasemann ICPP Schleswig-Holstein Use of Pseudonyms in Digital Signatures Pseudonym instead of name in certificate (no further data) States are free to allow use of

304 views • 15 slides
Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils Fleischhacker Johannes Krupp Giulio Malavolta Jonas Schneider Dominique Schr oder Mark Simkin March 7, 2016 Sanitizable Signatures

577 views • 46 slides
Secure Path-Key Revocation for Symmetric Key Pre-distribution Schemes in Sensor Networks Tyler

Secure Path-Key Revocation for Symmetric Key Pre-distribution Schemes in Sensor Networks Tyler

Introduction & background Path-key-enabled attacks Secure path-key revocation Conclusions Secure Path-Key Revocation for Symmetric Key Pre-distribution Schemes in Sensor Networks Tyler Moore and Jolyon Clulow University of Cambridge

505 views • 22 slides
Scalable & Resilient Vehicle-Centric Certificate Revocation List Distri- bution in Vehicular

Scalable & Resilient Vehicle-Centric Certificate Revocation List Distri- bution in Vehicular

KTH ROYAL INSTITUTE OF TECHNOLOGY Scalable & Resilient Vehicle-Centric Certificate Revocation List Distri- bution in Vehicular Communication Systems Mohammad Khodaei and Panos Papadimitratos Networked Systems Security Group (NSS)

981 views • 52 slides
Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s users require only secretkeys users require n 2 secretkeys Privately verifiable and non-transferable Same signature

764 views • 53 slides
Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the

Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the

Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the Importance of Leptonic Decays for Higgs Discovery) Brooks Thomas (The University of Arizona) Shufang Su & BT [arXiv:0903.0667] What do we know about

375 views • 26 slides
Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors t Libert 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 Beno 1 Ecole Normale Sup erieure de Lyon (France) 2

681 views • 33 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-02-25 1 Outline Recap: security experiments Message space extension One-time signatures One-time signatures from one-way functions Digital

1.07k views • 48 slides
Large Scale Deployment of SSL/TLS For MySQL Danil van Eeden | Percona Live 2019 Austin | May

Large Scale Deployment of SSL/TLS For MySQL Danil van Eeden | Percona Live 2019 Austin | May

Large Scale Deployment of SSL/TLS For MySQL Danil van Eeden | Percona Live 2019 Austin | May 2019 Agenda. Introduction Reasons to deploy TLS Rolling out TLS Introduction. Me: Danil van Eeden Senior Database

777 views • 33 slides
Sessi ssion on Ma Mana nagem ement ent websec 1 Recall from last week: the web On the

Sessi ssion on Ma Mana nagem ement ent websec 1 Recall from last week: the web On the

Web Securi urity ty Sessi ssion on Ma Mana nagem ement ent websec 1 Recall from last week: the web On the web, servers and clients communicate by HTTP requests and responses HTTP request are usually GET or POST requests

1.73k views • 62 slides
Octavia OpenStack Load Balancing New Features Deep Dive OpenStack Summit - Denver Adam Harwell -

Octavia OpenStack Load Balancing New Features Deep Dive OpenStack Summit - Denver Adam Harwell -

May 2019 Octavia OpenStack Load Balancing New Features Deep Dive OpenStack Summit - Denver Adam Harwell - Train PTL - Verizon Media Carlos Goncalves - Red Hat Michael Johnson - Red Hat What is Octavia? Network Load Balancing as a Service for

1.25k views • 16 slides
Key Management and Distribution Symmetric with Asymmetric Public Keys CSS441: Security and

Key Management and Distribution Symmetric with Asymmetric Public Keys CSS441: Security and

CSS441 Key Management Key Distribution Symmetric with Symmetric Key Management and Distribution Symmetric with Asymmetric Public Keys CSS441: Security and Cryptography X.509 Sirindhorn International Institute of Technology Thammasat

545 views • 33 slides
CS 4803 Verifies the ID, Computer and Network Security picks a random challenge I want pkU R

CS 4803 Verifies the ID, Computer and Network Security picks a random challenge I want pkU R

pk CA User ID U , pk U CS 4803 Verifies the ID, Computer and Network Security picks a random challenge I want pkU R (e.g. a message to sign) R = Sign(sk U, R) Alexandra (Sasha) Boldyreva Verifies that VF(pkU, R, )= 1 PKI, secret

467 views • 5 slides
HTTPS: Achievements, Challenges, and Epiphany Michael Catanzaro <mcatanzaro@igalia.com> Web

HTTPS: Achievements, Challenges, and Epiphany Michael Catanzaro <mcatanzaro@igalia.com> Web

HTTPS: Achievements, Challenges, and Epiphany Michael Catanzaro <mcatanzaro@igalia.com> Web Engines Hackfest December 7, 2015 HTTPS Basics HTTPS: Achievements, Challenges, and Epiphany 2 Man-in-the-Middle (MITM) Attacks ARP spoofing

369 views • 24 slides
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography Objectives Define digital certificates List the various types of digital certificates and how they are used Describe the components of

569 views • 7 slides
KEY DISTRIBUTION 1 / 74 The public key setting Bob pk [ A ] Alice C $ M D sk [ A ] (

KEY DISTRIBUTION 1 / 74 The public key setting Bob pk [ A ] Alice C $ M D sk [ A ] (

KEY DISTRIBUTION 1 / 74 The public key setting Bob pk [ A ] Alice C $ M D sk [ A ] ( C ) C E pk [ A ] ( M ) M , $ S sk [ A ] ( M ) V pk [ A ] ( M , ) Bob can: send encrypted data to Alice verify her

1.15k views • 94 slides

More recommend