lattice based signature scheme with verifier local
play

Lattice-Based Signature Scheme with Verifier Local Revocation - PowerPoint PPT Presentation

May 28, 2023 •27 likes •257 views

Lattice-Based Signature Scheme with Verifier Local Revocation Adeline Langlois 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 1 LIP, ENS de Lyon, France 2 Nanyang Technological University, Singapore March 27, 2014 PKC 2014 Group Signature with VLR

  1. Lattice-Based Signature Scheme with Verifier Local Revocation Adeline Langlois 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 1 LIP, ENS de Lyon, France 2 Nanyang Technological University, Singapore March 27, 2014 PKC 2014 Group Signature with VLR March 27, 2014 1/ 15

  2. Our main result with N members First lattice-based group signature with verifier-local revocation, logarithmic signature size, and security under the SIS assumption in the Random Oracle Model. logarithmic in N hard problem on lattices PKC 2014 Group Signature with VLR March 27, 2014 2/ 15

  3. Group signatures [ChaumVanHeyst91] Group signatures allow any member of a group to anonymously and accountably sign on behalf of this group. ◮ Group manager gpk , gsk i KeyGen, Open ◮ Group members ( gsk i ) Sign ◮ Anyone Verify KeyGen Open Security: • Anonymity Sign • Traceability Group Members Group Manager Verify Anyone PKC 2014 Group Signature with VLR March 27, 2014 3/ 15

  4. Group signatures with verifier-local revocation [ChaumVanHeyst91] [BonehShacham04] Group signatures allow any member of a group to anonymously and accountably sign on behalf of this group. ◮ Group manager gpk , gsk i , grt i KeyGen ◮ Group members ( gsk i ) Sign ◮ Anyone Verify KeyGen Security: • Anonymity Sign Revocated • Traceability Group Member d Group RL Manager Verify fails if grt d ∈ RL Anyone PKC 2014 Group Signature with VLR March 27, 2014 3/ 15

  5. Security: anonymity and traceability Security requirements [BonehShacham04] ◮ Correctness ∀ ( gpk , gsk , grt ) ← KeyGen , ∀ i ∈ [ N − 1] , ∀ M ∈ { 0 , 1 } ∗ , Verify ( gpk , RL, Sign ( gpk , gsk i , M ) , M ) = Valid ⇔ grt i �∈ RL. ◮ Selfless-anonymity A given signature does not leak the identity of its originator. Given gpk and Sign , Corruption and Revocation queries, Goal find which of the two adaptively chosen keys generates the signature. ◮ Traceability No collusion of malicious users can produce a valid signature that cannot be traced to one of them. Given gpk , grt i for all i , and gsk i of users in the collusion, Goal create a valid signature that doesn’t trace to someone in the collusion (or that fails). PKC 2014 Group Signature with VLR March 27, 2014 4/ 15

  6. Applications Need for authenticity and anonymity ◮ Anonymous credentials: anonymous use of certified attributes ◮ E.g.: student card - name, picture, date, grade... ◮ Traffic management (Vehicle Safety Communications project of the U.S. Dept. of Transportation). ◮ Restrictive area access. PKC 2014 Group Signature with VLR March 27, 2014 5/ 15

  7. Prior works ◮ Group signature introduced by [ChaumVanHest91] , ◮ Group signature with verifier local revocation introduced by [Brickell03] and [KiayiasTsiounisYung04] , ◮ Formalized by [BonehShacham04] , ◮ Number of realizations in bilinear map setting : [NakanishiFunabiki05 and 06] , [LibertVergnaud09] , [BichselCamenishNevenSmartWarinschi10] . In lattice-based cryptography: ◮ First one [GordonKatzVaikuntanathan10] , then with signature size linear in N : [CamenischNevenRückert12] . ◮ Signature size logarithmic in N (and full-anonymity): [LaguillaumieLangloisLibertStehlé13] . ◮ Our result: first lattice-based group signature with verifier-local revocation (and we have signature size logarithmic in N ). PKC 2014 Group Signature with VLR March 27, 2014 6/ 15

  8. Lattice-based cryptography From basic to very advanced primitives ◮ Public key encryption [Regev05, ...] , ◮ Lyubashevsky signature scheme [Lyubashevsky12] , ◮ Identity-based encryption [GentryPeikertVaikuntanathan08, ...] , ◮ Attribute-based encryption [Boyen13, GorbunovVaikuntanathanWee13] , ◮ Fully homomorphic encryption [Gentry09, ...] . Advantages of lattice-based primitives ◮ (Asymptotically) efficient, ◮ Security proofs from the hardness of LWE and SIS , ◮ Likely to resist quantum attacks. PKC 2014 Group Signature with VLR March 27, 2014 7/ 15

  9. SIS β and ISIS β Parameters: n dimension, m ≥ n , q modulus. For A ← U ( Z m × n ) : q Short Integer Solution Inhomogeneous SIS x x A A = 0 mod q = u mod q Goal: Given A ← U ( Z m × n Goal: Given A ← U ( Z m × n ) , u ∈ Z n ) , q , q q find x s.t. 0 < � x � ≤ β . find x s.t. 0 < � x � ≤ β . Shown to be as hard as worst-case lattice problems, [GentryPeikertVaikuntanathan2008] PKC 2014 Group Signature with VLR March 27, 2014 8/ 15

  10. Lattice-based cryptography toolbox: trapdoors ◮ TrapGen � ( A , T A ) such that T A is a short basis of the lattice q ( A ) = { x ∈ Z m : x T · A = 0 Λ ⊥ (mod q ) } . � A public description of the lattice T A short basis, kept secret ◮ Note that: 1. Computing T A given A is hard, 2. Constructing A together with T A is easy. ◮ With T A , we can sample short vectors in Λ ⊥ q ( A ) . PKC 2014 Group Signature with VLR March 27, 2014 9/ 15

  11. Our construction Ingredients ◮ Certificate of users � key to produce temporary certificate, ◮ Bonsai Tree signature [CashHofheinzKiltzPeikert12] , ◮ ZKPoK using "Stern Extension" adapted from [LingNguyenStehléWang13] . Our scheme ◮ The member uses an interactive protocol to convince the verifier that he is a certified group member and he has not been revoked, ◮ Repeated many times to make the soundness error negligibly small. ◮ Convert this protocol to a signature scheme via Fiat Shamir. PKC 2014 Group Signature with VLR March 27, 2014 10/ 15

  12. Generation of the keys N = 2 ℓ group members KeyGen ◮ Run TrapGen to get A 0 together with a trapdoor T A 0 , ◮ Sample u uniform in Z n q , ◮ Sample 2 ℓ public matrices ( A ( b ) i ) ’s for b ∈ { 0 , 1 } , then define A and for each d ∈ [ N − 1] : A d (as in a Bonsai signature),   A 0 A (0)     A 0 1   A (1)   A ( d 1 )   1   ∈ Z ( ℓ +1) m × n  ∈ Z ( ℓ +1) m × n  1  A = , and A d = . .   . q   q . . .   .    A ( d ℓ )   A (0)   ℓ ℓ A (1) ℓ PKC 2014 Group Signature with VLR March 27, 2014 11/ 15

  13. Generation of the keys N = 2 ℓ group members KeyGen ◮ Run TrapGen to get A 0 together with a trapdoor T A 0 , ◮ Sample u uniform in Z n q , ◮ Sample 2 ℓ public matrices ( A ( b ) i ) ’s for b ∈ { 0 , 1 } , then define A and for each d ∈ [ N − 1] : A d (as in a Bonsai signature), ◮ For each d , sample a small x d gaussian (using T A 0 ), such that ( x d ) T A d = u T mod q ,   A 0 A ( d 1 )   � �  = u T mod q ( x ( d )  1  0 ) T ( x d 1 1 ) T ( x d ℓ ℓ ) T . . .   . . .  A ( d ℓ ) ℓ PKC 2014 Group Signature with VLR March 27, 2014 11/ 15

  14. Generation of the keys N = 2 ℓ group members KeyGen ◮ Run TrapGen to get A 0 together with a trapdoor T A 0 , ◮ Sample u uniform in Z n q , ◮ Sample 2 ℓ public matrices ( A ( b ) i ) ’s for b ∈ { 0 , 1 } , then define A and for each d ∈ [ N − 1] : A d (as in a Bonsai signature), ◮ For each d , sample a small x d gaussian (using T A 0 ), such that ( x d ) T A d = u T mod q , ◮ Public key: gpk = ( A , u ) , ◮ Secret key for each d : gsk d = x ( d ) such that x ( d ) A d = u T mod q , � � x ( d ) = ( x ( d ) ( x d 1 ( x d ℓ 0 ) T 1 ) T ℓ ) T . . . . ◮ Revocation token for each d : grt d = ( x ( d ) 0 ) T A 0 . PKC 2014 Group Signature with VLR March 27, 2014 11/ 15

  15. Sign ◮ To sign a message, the user must hide d ◮ ⇒ he cannot convince a verifier that he knows x ( d ) with ( x ( d ) ) T A d = u T mod q if the verifier does not know A d . PKC 2014 Group Signature with VLR March 27, 2014 12/ 15

  16. Sign ◮ To sign a message, the user must hide d ◮ ⇒ he cannot convince a verifier that he knows x ( d ) with ( x ( d ) ) T A d = u T mod q if the verifier does not know A d . ◮ Solution: prove that he knows x such that x T A = u T mod q , and that for every two consecutive blocks of x ( d ) , one is a zero block. PKC 2014 Group Signature with VLR March 27, 2014 12/ 15

  17. Sign ◮ To sign a message, the user must hide d ◮ ⇒ he cannot convince a verifier that he knows x ( d ) with ( x ( d ) ) T A d = u T mod q if the verifier does not know A d . ◮ Solution: prove that he knows x such that x T A = u T mod q , and that for every two consecutive blocks of x ( d ) , one is a zero block. � � ◮ Recall that x ( d ) = ( x ( d ) ( x d 1 ( x d ℓ 0 ) T 1 ) T ℓ ) T , . . . Construct x : � � ( x ( d ) ( x d 1 0 ) T 1 ) T 0 . . . � �� � if d 1 =0 PKC 2014 Group Signature with VLR March 27, 2014 12/ 15

  18. Sign ◮ To sign a message, the user must hide d ◮ ⇒ he cannot convince a verifier that he knows x ( d ) with ( x ( d ) ) T A d = u T mod q if the verifier does not know A d . ◮ Solution: prove that he knows x such that x T A = u T mod q , and that for every two consecutive blocks of x ( d ) , one is a zero block. � � ◮ Recall that x ( d ) = ( x ( d ) ( x d 1 ( x d ℓ 0 ) T 1 ) T ℓ ) T , . . . Construct x : � � ( x ( d ) ( x d 1 0 ) T 1 ) T 0 . . . � �� � if d 1 =1 PKC 2014 Group Signature with VLR March 27, 2014 12/ 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software

Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software

The signature The countermeasure and its proof Performances Future work Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software Institute) Sonia Belad (CryptoExperts) Thomas Espitau (UPMC) Pierre-Alain

1.04k views • 51 slides
Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El

Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El

Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El Bansarkhani, Johannes Buchmann Technische Universit at Darmstadt TU Darmstadt August 2013 Rachid El Bansarkhani Lattice-based Signatures1 Outline

633 views • 44 slides
CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme L eo Ducas (CWI), Eike Kiltz

CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme L eo Ducas (CWI), Eike Kiltz

CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme L eo Ducas (CWI), Eike Kiltz (Ruhr-Universit at Bochum), Tancr` ede Lepoint (SRI International), Vadim Lyubashevsky (IBM Research), Peter Schwabe (Radboud University), Gregor

1.06k views • 36 slides
Designated Verifier Signature Schemes - An Overview Liina Kamm October 10, 2005 Structure

Designated Verifier Signature Schemes - An Overview Liina Kamm October 10, 2005 Structure

Designated Verifier Signature Schemes - An Overview Liina Kamm October 10, 2005 Structure The Jakobsson-Sako-Impagliazzo Scheme Security notions for DVS schemes DVS Scheme with tight reduction to DDH in NPRO Universal Designated

620 views • 42 slides
A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for IT-Security Africacrypt 2010 1 / 13 RSA-Based Signature Schemes Na ve RSA signature scheme not secure under the standard definition of

647 views • 51 slides
Learning Strikes Again: the Case of the DRS Signature Scheme Yang Yu 1 eo Ducas 2 L 1 Tsinghua

Learning Strikes Again: the Case of the DRS Signature Scheme Yang Yu 1 eo Ducas 2 L 1 Tsinghua

Learning Strikes Again: the Case of the DRS Signature Scheme Yang Yu 1 eo Ducas 2 L 1 Tsinghua University 2 Centrum Wiskunde &amp; Informatica January 2019, London 1 / 42 This is a cryptanalysis work... Target: DRS a NIST lattice-based

1.32k views • 108 slides
Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li QUT Asiacrypt16 2016-12-06 1 / 19 Motivations 1. Short lattice signature with tight security reduction w/o ROs. Techniques Short Sig? Tight

712 views • 47 slides
Oblivious Signature-Based Envelope scheme (OSBE) Presented By: Khaled Rabieh Supervisor: Dr.

Oblivious Signature-Based Envelope scheme (OSBE) Presented By: Khaled Rabieh Supervisor: Dr.

Oblivious Signature-Based Envelope scheme (OSBE) Presented By: Khaled Rabieh Supervisor: Dr. Mohamed Mahmoud Outline - What is Oblivious Signature-Based Envelope (OSBE)? - Applications - cryptosystem - Analysis 2 Problem Formulation -

339 views • 14 slides
DRS Diagonal dominant Reduction for lattice-based Signature Thomas PLANTARD, Arnaud SIPASSEUTH,

DRS Diagonal dominant Reduction for lattice-based Signature Thomas PLANTARD, Arnaud SIPASSEUTH,

DRS Diagonal dominant Reduction for lattice-based Signature Thomas PLANTARD, Arnaud SIPASSEUTH, Cedric DUMONDELLE, Willy SUSILO Institute of Cybersecurity and Cryptology University of Wollongong http://www.uow.edu.au/ thomaspl

458 views • 22 slides
Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital

Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital

Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital Signatures The hash and sign paradigm m c slide 1/18 . Any public key encryption can be turned into a signature. Digital Signatures The hash and

759 views • 28 slides
How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz Nicolas Sendrier ASIACRYPT 2001 Brisbane McEliece in a nutshell (Niederreiter version) This scheme is equivalent to the original McEliece

432 views • 12 slides
Lattice-Based Group Signatures with Logarithmic Signature Size Fabien Laguillaumie 1 Adeline

Lattice-Based Group Signatures with Logarithmic Signature Size Fabien Laguillaumie 1 Adeline

Lattice-Based Group Signatures with Logarithmic Signature Size Fabien Laguillaumie 1 Adeline Langlois 2 Benot Libert 3 Damien Stehl 2 1 LIP, Universit Lyon 1 2 LIP, ENS de Lyon 3 Technicolor December 4, 2013 Laguillaumie et al. LB Group

239 views • 20 slides
Practical Attacks on the Walnut Signature Scheme Ward Beullens Simon R. Blackburn KU Leuven

Practical Attacks on the Walnut Signature Scheme Ward Beullens Simon R. Blackburn KU Leuven

Practical Attacks on the Walnut Signature Scheme Ward Beullens Simon R. Blackburn KU Leuven Royal Holloway December 2, 2018 Introduction 1/22 WalnutDSA is a Signature Scheme submitted to the NIST PQC project. Small signatures and keys

643 views • 27 slides
Outline ElGamal Signature Scheme 1 CPSC 418/MATH 318 Introduction to Cryptography El Gamal

Outline ElGamal Signature Scheme 1 CPSC 418/MATH 318 Introduction to Cryptography El Gamal

Outline ElGamal Signature Scheme 1 CPSC 418/MATH 318 Introduction to Cryptography El Gamal Signature Scheme, Cryptography in Practice: Random Number Odds and Ends on Public Key Crypto 2 Generation, Key Management Cryptography in Real Life 3

367 views • 14 slides
Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse) Detection Intrusion Detection Host-based Network-based Boriana Ditcheva and Lisa Fowler Active/Passive University of North Carolina at

401 views • 12 slides
Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is publicly verifiable Unforgeable 2 A Digital Signature Scheme Key generation algorithm G (probabilistic) ( pk, sk ) G (1 ) security

602 views • 22 slides
LargeLiquidCherenkovRingImaging DetectorReconstruc8onAlgorithms

LargeLiquidCherenkovRingImaging DetectorReconstruc8onAlgorithms

LargeLiquidCherenkovRingImaging DetectorReconstruc8onAlgorithms ThomasJunk Fermilab 2012ProjectXPhysicsStudy June18,2012

556 views • 31 slides
Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia Institute of Technology Lattice Crypto Day ENS, 29 May 2010 1 / 23 Talk Agenda 1 Lattice-based trapdoor functions and oblivious sampling 2

1.28k views • 103 slides
Scientific Animal Image Analysis SANIMAL David Slovikosky UofA Jaguar and Ocelot Monitoring

Scientific Animal Image Analysis SANIMAL David Slovikosky UofA Jaguar and Ocelot Monitoring

Scientific Animal Image Analysis SANIMAL David Slovikosky UofA Jaguar and Ocelot Monitoring Project: Address challenges in managing data for citizen science projects that have camera traps Not many applications available for

559 views • 7 slides
Python Strings and Data Structures Learning Objectives Strings (more) Python data

Python Strings and Data Structures Learning Objectives Strings (more) Python data

Python Strings and Data Structures Learning Objectives Strings (more) Python data structures Lists Tuples Dictionaries Get comfortable writing more code CS 6452: Prototyping Interactive Systems 2 Questions?

637 views • 46 slides
SAH guided spatial split partitioning for fast BVH construction Per Ganestam and Michael Doggett

SAH guided spatial split partitioning for fast BVH construction Per Ganestam and Michael Doggett

SAH guided spatial split partitioning for fast BVH construction Per Ganestam and Michael Doggett Lund University Opportunistic triangle splitting for higher quality BVHs Bounding Volume Hierarchies (BVH) are a simple, compact 3D data

462 views • 30 slides
AIT-WATCHMAN A Remote Reactor Monitor and Advanced Instrumentation Testbed Christopher Grant On

AIT-WATCHMAN A Remote Reactor Monitor and Advanced Instrumentation Testbed Christopher Grant On

AIT-WATCHMAN A Remote Reactor Monitor and Advanced Instrumentation Testbed Christopher Grant On behalf of the WATCHMAN Collaboration The link between nuclear reactors and nuclear weapons 235 U 85 Kr A source of fissionable material, ! such as

321 views • 31 slides
Brief Announcement Hyaline : Fast and Transparent Memory Reclamation Ruslan Nikolaev and Binoy

Brief Announcement Hyaline : Fast and Transparent Memory Reclamation Ruslan Nikolaev and Binoy

Brief Announcement Hyaline : Fast and Transparent Memory Reclamation Ruslan Nikolaev and Binoy Ravindran rnikola@vt.edu, binoy@vt.edu Systems Software Research Group Virginia Tech, USA Memory Reclamation Problem Concurrent programming is

236 views • 6 slides
From RNA-Seq data to bioinformatics analysis using Nanopore sequencers ASTE TER - Al Algorithm

From RNA-Seq data to bioinformatics analysis using Nanopore sequencers ASTE TER - Al Algorithm

From RNA-Seq data to bioinformatics analysis using Nanopore sequencers ASTE TER - Al Algorithm hms an and softw twar are e for th thir ird ge generation RN RNA A se sequencing Bonsai, CRIStAL, Lille Erable, LBBE, Lyon

425 views • 3 slides

More recommend