HOW TO AGGREGATE THE CL SIGNATURE SCHEME Dominique Schroeder* - - PowerPoint PPT Presentation

how to aggregate the cl signature scheme
SMART_READER_LITE
LIVE PREVIEW

HOW TO AGGREGATE THE CL SIGNATURE SCHEME Dominique Schroeder* - - PowerPoint PPT Presentation

Mar 13, 2024 24 likes •218 views

HOW TO AGGREGATE THE CL SIGNATURE SCHEME Dominique Schroeder* University of Maryland, USA *Partly supported by a DAAD postdoctoral fellowship AGGREGATE SIGNATURES (Boneh, Gentry, Lynn, and Shacham) sk 1 , m 1 sk i , m i sk n , m n . . . . .

slide-1
SLIDE 1

HOW TO AGGREGATE THE CL SIGNATURE SCHEME

Dominique Schroeder* University of Maryland, USA

*Partly supported by a DAAD postdoctoral fellowship

slide-2
SLIDE 2

Dominique Schröder ESORICS 2011

AGGREGATE SIGNATURES

(Boneh, Gentry, Lynn, and Shacham)

σ1 σi σn sk1, m1 ski, mi skn, mn (trivial) . . . . . . „aggregator“

2

slide-3
SLIDE 3

Dominique Schröder ESORICS 2011

AGGREGATE SIGNATURES

(Boneh, Gentry, Lynn, and Shacham)

σ1 σi σn . . . . . . „aggregator“ same size as an ordinary signature!!! sk1, m1 ski, mi skn, mn

3

slide-4
SLIDE 4

Dominique Schröder ESORICS 2011

ROAD MAP

Applications Security model Related Work Bilinear Maps Our Construction

4

slide-5
SLIDE 5

Dominique Schröder ESORICS 2011

APPLICATIONS OF AGGREGATE SIGNATURES

Secure Routing Compression of Certificate Chains Compression of Authenticated Data

(Boneh, Gentry, Lynn, and Shacham)

bandwidth saving!

Short Signatures Short Group Sig ....

5

slide-6
SLIDE 6

Dominique Schröder ESORICS 2011

APPLICATIONS OF AGGREGATE SIGNATURES

(Boneh, Gentry, Lynn, and Shacham)

(pk1,m1,σ) (pk1, pk2, m1, m2, σ) (pk1, pk2,...,m1, m2,,...,σ) Sequential aggregate signature Key size??

6

slide-7
SLIDE 7

Dominique Schröder ESORICS 2011

SECURITY OF AGGREGATE SIGNATURES

m σ sk

(m1, pk1), . . . , (mi, pki), . . . , (mn, pkn), σ

sk sk sk sk pk

(Boneh, Lynn, and Shacham)

7

slide-8
SLIDE 8

Dominique Schröder ESORICS 2011

SECURITY OF AGGREGATE SIGNATURES

adversary wins if: 1) (m1,pk1 ,..., mi,pki ,..., mn,pkn,σ) valid 2) Never queried the oracle about mi

sk m σ

(Boneh, Lynn, and Shacham)

3) Registered key: all keys (ski,pki) are registered

8

slide-9
SLIDE 9

Dominique Schröder ESORICS 2011

RELATED WORK

Aggregate and Verifiably Encrypted Signatures from Bilinear Maps BGLS (ROM, non sequential, EUROCRYPT 2003) Sequential Aggregate Signatures from Trapdoor Permutations LMRS (ROM, sequential, EUROCRYPT 2004) Aggregate Signatures and Multisignatures Without Random Oracles LOSSW (sequential, large keys!, EUROCRYPT 2006) Efficient Sequential Aggregate Signed Data Neven (ROM, EUROCRYPT 2008)

9

slide-10
SLIDE 10

Dominique Schröder ESORICS 2011

BILINEAR MAPS

G, GT e: G x G -> GT g generator of G, e(g,g) generator of GT Non degenerate e(g,g)≠1 e(ga,gb) = e(g,g)ab

10

slide-11
SLIDE 11

Dominique Schröder ESORICS 2011

CL SIGNATURE SCHEME

secure under the interactive LRSW assumption

Kg: x,y <- Zp X := gx , Y := gy Sign: r <- Zp, a := gr , b := gry, c := gr(x+Mxy) Vf: e(a,Y) = e(g,b) , e(X,a)*e(X,b)M =e(g,c) e(a,Y) = e(gr,gy) = e(g,g)ry = e(g,gry) = e(g,b) e(X,a)*e(X,b)M = e(gx,gr)*e(gx, gry)M

= e(g,g)xr*e(g, g)xryM

= e(g,g)xr+xryM = e(g,g)r(x+xyM) = e(g,gr(x+xyM)) = e(g,c)

11

slide-12
SLIDE 12

Dominique Schröder ESORICS 2011

OUR CONSTRUCTION

Randomized signature: a := gr , b := gry, c := gr(x+Mxy) Use ‘a’ from the previous signer re-randomize the signature afterwards. Cross-Terms public keys ga, gb and signatures Sa and Sb with Vf: e(ga, Sa) e(gagb, Sa Sb) = e(ga, Sa Sb) e(gb, Sa Sb) = e(ga, Sa) e(gb, Sa) e(ga, Sb) e(gb, Sb)

Challenges

12

slide-13
SLIDE 13

Dominique Schröder ESORICS 2011

RANDOMIZING

sk=(x’,y’), pk=(X’,Y’) Randomized signature: a := gr , b := gry, c := gr(x+Mxy) a’ := a b’ := ay‘ = gry‘ c’:= ax’+Mx’y’ =gr(x’+Mx’y’) Re-randomizing: pick r’ a’r’ := grr’ b’r’ := ay‘r’ = grr’y‘ c’r’:= a r’(x’+Mx’y’)=gr r’(x’+Mx’y’)

13

slide-14
SLIDE 14

Dominique Schröder ESORICS 2011

CROSS TERMS

Aggregate Extension Technique

public keys ga, gb and signatures Sa and Sb with Vf: e(ga, Sa) e(gagb, Sa Sb) = e(ga, Sa Sb) e(gb, Sa Sb) = e(ga, Sa) e(gb, Sb) e(gb, Sa) e(ga, Sb)

14

Extend the aggregate Signer a sends ga, Sa Compute gb, Sb Extend the aggregate by D:=Sag-b (Sb)-1ga e(gagb, Sa Sb) e(D,g) = e(ga, Sa Sb) e(gb, Sa Sb) e(g,Sag-b (Sb)-1ga)

slide-15
SLIDE 15

Dominique Schröder ESORICS 2011

OUR SCHEME

a := gr , b := gry, c := gr(x+Mxy) a := gr , b’ := gry’, c’ := gr(x’+M’x’y’) Aggregate A:= a , B := bb’= gr(y+y’), C:=cc’ Verification: Π e(Xi,A)e(Xi,B)Mi = e(g,C) Π e(Xi,B) Mi = e(X,B)M e(X’,B)M‘ = e(g,B)xM e(g,B)x’M‘ = e(g,Ay+y’)xM+x’M‘ = e(g,gr)xyM+x’y’M‘+xy’M+x’yM‘

15

Extend D := Xy’MYx’M‘ = gx’yM‘+xy’M

slide-16
SLIDE 16

Dominique Schröder ESORICS 2011

OUR SCHEME

Structure of the aggregate A = gr , B = Πgryi , C = Πgr(xi+Mixiyi) , D = Πi≠j gMixiyj Key Generation X:=gx and Y:=gy Sequential Signing σ=(A,B,C,D) a:= A , b := BAy , c = CAx+Mxy , d = DΠi XjxMj YxM pick r’: A := ar’ ; B := br‘ ; C := cr’ ; D := d

16

slide-17
SLIDE 17

Dominique Schröder ESORICS 2011

OUR SCHEME

CL Vf: e(a,Y) = e(g,b) , e(X,a)*e(X,b)M =e(g,c) Verification: e(A,Πi Yi) = e(g,B) Πi (e(Xi,A) e(Xi,B)Mi ) = e(g,C) e(A,D)-1 Πi e(Xi,Yj)Mi=e(g,D)

17

slide-18
SLIDE 18

Dominique Schröder ESORICS 2011

OPEN PROBLEMS

Non-sequential aggregate signature in the standard model Scheme with short keys based on a non-interactive assumption Construction secure outside the KOSK Construction with short keys outside the KOSK

18

slide-19
SLIDE 19

Dominique Schröder ESORICS 2011

THANKS! QUESTIONS?

19