on the security of unique witness blind signature schemes
play

On The Security of Unique- Witness Blind Signature Schemes - PowerPoint PPT Presentation

Jan 03, 2024 •95 likes •439 views

On The Security of Unique- Witness Blind Signature Schemes December 2013 ASIACRYPT, Bangalore, India Foteini Baldimtsi, Anna Lysyanskaya 2 Blind Signatures [Chaum'82] Blind signatures are a special type of digital signatures. Signer is

  1. On The Security of Unique- Witness Blind Signature Schemes December 2013 ASIACRYPT, Bangalore, India Foteini Baldimtsi, Anna Lysyanskaya

  2. 2 Blind Signatures [Chaum'82] Blind signatures are a special type of digital signatures. Signer is different that the message author. Author “blinds” the message before sending it to the signer. Signer learns nothing about the message. Applications Values need to be certified but anonymity should be preserved.

  3. 3 Security for Blind Signatures Pointcheval and Stern ('96): definition of security for blind signatures reduction for proving security of blind signatures 1. blindness: signer is unable to view the messages he signs and a malicious signer cannot link signatures to specific executions. Signer cannot see the document!

  4. 4 Security for Blind Signatures Pointcheval and Stern ('96): definition of security for blind signatures reduction for proving security of blind signatures 2. one-more unforgeability: a user interacting with a signer cannot output an additional, valid message/ signature pair no matter how many pairs of (messages, signatures) of the signer he has seen. ℓ ... times ℓ + 1 Valid signatures

  5. 5 Motivation for our work The security of some of the oldest (and most efficient) blind signatures [GQ'88, Schnorr'89, Brands'93] is an open problem... Some of them are used in practice! Brands blind signature is used in Microsoft’s UProve system What can we show about the security of these blind signature schemes?

  6. Related Work Pointcheval, Stern 1996: constructed and proved secure a multi- witness variant of the Schnorr blind signature Schnorr, Jakobsson, 1999: Schnorr blind signature is secure in the generic group model Fischlin, Schroder 2011: impossible to prove unique witness blind signatures secure in the standard model for non-interactive assumptions Pass 2011: showed that Schnorr ID scheme (and therefore blind signature) cannot be proven secure under unbounded composition based on a bounded-round assumption in the standard model

  7. 7 Our results We rule out a wide class of reductions for proving one- more unforgeability of certain blind signature schemes in the RO model no matter what assumption one makes. Define Generalized Blind Schnorr Signatures (GBSS) Random Oracle replay reductions [PS'96] Meta-reduction technique Perfect naive and L-naive reductions Proof for Perfect Naive

  8. Generalized Blind Schnorr Signatures 1.Unique witness relation between (sk,pk) i.e. sk in Z q and pk =g sk for g, pk members of G of order q

  9. Generalized Blind Schnorr Signatures 1.Unique witness relation between (sk,pk) 2.Signer's side is like a Σ-protocol 3.The signature σ(a,c,r) has identical distribution to a transcript of a Σ-protocol 4.User makes a Hash query to compute c (a,c,r) & (a,c,r) ⇨ Prover (sk,pk=g sk ) Verifier (pk) efficiently compute sk a exists simulator S c that on input (pk,c) outputs accepting r decides to (a,c,r) with same accept on distribution as honest (pk,a,c,r) discussion

  10. Generalized Blind Schnorr Signatures 1.Unique witness relation on (sk,pk) 2.Signer's side is like a Σ-protocol 3.The signature σ(a,c,r) has identical distribution to a transcript of a Σ-protocol 4.User makes a Hash query to compute c 5.There exists efficient algorithm s.t. on input (sk,pk), valid (a,c,r) and random c computes r such that: (a,c,r) is also valid

  11. Generalized Blind Schnorr Signatures 1.Unique witness relation on (sk,pk) 2.Signer's side is like a Σ-protocol 3.The signature σ(a,c,r) has identical distribution to a transcript of a Σ-protocol 4.User makes a Hash query to compute c 5.There exists efficient algorithm s.t. on input (sk,pk), valid (a,c,r) and random c computes r such that: (a,c,r) is also valid Blind Schnorr Sign. [Okamoto '91] Blinding Generalized Blind GQ Blind Sign. [Okamoto '91] r = s + c sk Schnorr Signatures r Brands Blind Sign. [Brands '93] GBSS ?

  12. Random Oracle Replay Reduction [PS'96] Unforgeability Reduction B RO H Hard problem (may be interactive) Adversary A … forgery

  13. Random Oracle Replay Reduction [PS'96] Unforgeability Reduction B RO H’ RO H Hard problem (may be interactive) Adversary A … forgery With non-negligible probability get σ(m)=(a,c,r) and σ(m)=(a,c,r) on the same message m and break the hard problem!

  14. How do we rule out reductions?

  15. Meta-reduction paradigm: “reduction against the reduction” Meta-reduction M Reduction B RO H Hard problem (may be interactive) Adversary A Adversar … y A forgery Goal: construct poly-time A so that A+B solves the problem, then it can be solved in poly-time CONTRADICTION

  16. Which reductions do we rule out?

  17. Perfect Naive and L-naive Replay Reductions Naive Replay Reductions . special tape for RO queries, always c1,c2,...ci..., answers with next value on tape or some function of it Reduction B RO Perfect Naive L- Naive H A gets same view for all A, B runs A inside B as it would at most L times Adversary A Advers get “in the wild” ary A Not true for many True for all reductions reductions I know (PS'96, AO'04, Coron'00, BR'93 etc.)

  18. Proof Outline: the Tale of Two Adversaries ≈ super adversary sA: B’s personal nemesis pA: statistically, can compute SK from PK has special powers: as far as B (we don’t know how 1) can see RO-tape can tell to do this in poly-time) 2) can remember its past lives (pA is poly-time) If B works at all, it works with adversary sA. But then it also works with pA, since they are indistinguishable to B. Both B and pA are poly-time, therefore together they break the assumption (CONTRADICTION).

  19. Proof Outline: the Tale of Two Adversaries pA and sA attack the unforgeability property of Generalized Blind Schnorr Signatures Interact with B to receive one signature and output two valid signatures (forgery) Meta-reduction M c1,c2,...ci... c1,c2,...ci... Reduction B Reduction B RO RO H H … … forgery forgery Polynomial time

  20. sA for Perfect Naive Reduction Reduction B c1,c2,...,ci,..., PK, a 1. Find SK from PK 2. Compute two forgeries σ1 = (a1,c1,r1), σ2=(a2,c2,r2)

  21. sA for Perfect Naive Reduction Reduction B c1,c2,...,ci,..., 2 RO queries: (m1,pk,a1), PK, a (m2,pk,a2) 1. Find SK from PK 2. Compute two forgeries σ1 = (a1,c1,r1), σ2=(a2,c2,r2)

  22. sA for Perfect Naive Reduction Reduction B c1,c2,...,ci,..., 2 RO queries: (m1,pk,a1), PK, a (m2,pk,a2) 1. Find SK from PK c 2. Compute two forgeries σ1 = (a1,c1,r1), r σ2=(a2,c2,r2) 3. c ⇦ PRF(transcript) 4. If r correct output σ1, σ2

  23. sA for Perfect Naive Reduction what happens if sA is reset by B? Same queries? Reduction B c1,c2,...,ci,..., depends on (pk,a) Different with high 2 RO queries: prob. (m1,pk,a1), PK, a (m2,pk,a2) 1. Find SK from PK c 2. Compute two forgeries σ1 = (a1,c1,r1), r σ2=(a2,c2,r2) 3. c ⇦ PRF(transcript) 4. If r correct output σ1, σ2

  24. pA for Perfect Naive Reduction Reduction B c1,c2,...,ci,..., PK, a 1. look at RO tape: get c1,c2 2. pick random r1,r2 & solve for a1,a2 using the simulator of the Σ-protocol

  25. pA for Perfect Naive Reduction Reduction B c1,c2,...,ci,..., 2 RO queries: (m1,pk,a1), PK, a (m2,pk,a2) 1. look at RO tape: get c1,c2 2. pick random r1,r2 & solve for a1,a2 using the simulator of the Σ-protocol

  26. pA for Perfect Naive Reduction Reduction B c1,c2,...,ci,..., 2 RO queries: (m1,pk,a1), PK, a (m2,pk,a2) 1. look at RO tape: get c1,c2 c 2. pick random r1,r2 & solve for a1,a2 using the simulator of the Σ-protocol r 3. set σ1 = (a1,c1,r1), σ2=(a2,c2,r2) 4. c ⇦ PRF(transcript) 5. If r correct output σ1,σ2

  27. pA for Perfect Naive Reduction what happens if pA is reset by B? Reduction B c1,c2,...,ci,..., same PK, a

  28. pA for Perfect Naive Reduction what happens if pA is reset by B? Reduction B c1,c2,...,ci,..., same PK, a 1. look at RO tape: get c3,c4 c 2. same RO queries: (m1,pk,a1),(m2,pk,a2) 3. cannot compute his forgeries for these r RO queries 4. c ⇦ PRF(transcript) 5. If r correct: previous conversation was ⇨ sk (pk,a,c,r), current is (pk,a,c,r) 6. Output forgeries σ1,σ2

  29. pA for Perfect Naive Reduction what happens if pA is reset by B? Reduction B c1,c2,...,ci,..., same PK, a 1. look at RO tape: get c3,c4 c 2. same RO queries: (m1,pk,a1),(m2,pk,a2) Get stuck if previous 3. cannot compute his forgeries for these run wasn't perfect: r RO queries didn’t include r! 4. c ⇦ PRF(transcript) 5. If r correct: previous conversation was ⇨ sk (pk,a,c,r), current is (pk,a,c,r) 6. Output forgeries σ1,σ2

  30. pA ≈ sA for Perfect Naive Reduction ≈ super adversary sA: B’s personal nemesis pA: as far as - always outputs - outputs 2 (pseudo) B can tell 2 (pseudo) random random signatures when signatures c ≠ c

  31. Ruling Out More Reductions Assumption: B is perfect -- it always gives valid responses to A. L-Naive RO replay reduction B Up to L resets! ... A 1-more forgery pA and sA succeed in forging with some probability pA also has write access to B's RO tape

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

First Witness Security DCJS 11-14998 540-442-0086 First Witness Security First Witness Security

First Witness Security DCJS 11-14998 540-442-0086 First Witness Security First Witness Security

First Witness Security DCJS 11-14998 540-442-0086 First Witness Security First Witness Security is Veteran owned company (USMC) in business for 25 years. Rodney Dixon, the owner has worked in high-tech fields ever since the Military. The

278 views • 26 slides
Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is publicly verifiable Unforgeable 2 A Digital Signature Scheme Key generation algorithm G (probabilistic) ( pk, sk ) G (1 ) security

602 views • 22 slides
Cryptography V: Digital Signatures Computer Security Lecture 6 David Aspinall School of

Cryptography V: Digital Signatures Computer Security Lecture 6 David Aspinall School of

Cryptography V: Digital Signatures Computer Security Lecture 6 David Aspinall School of Informatics University of Edinburgh 31st January 2013 Outline Basics Constructing signature schemes Security of signature schemes ElGamal DSA

1.15k views • 91 slides
Formally Certifying the Security of Digital Signature Schemes Santiago Zanella 1 , 2 Benjamin

Formally Certifying the Security of Digital Signature Schemes Santiago Zanella 1 , 2 Benjamin

Formally Certifying the Security of Digital Signature Schemes Santiago Zanella 1 , 2 Benjamin Grgoire 1 , 2 Gilles Barthe 3 Federico Olmedo 3 1 Microsoft Research - INRIA Joint Centre, France 2 INRIA Sophia Antipolis - Mditerrane, France 3

837 views • 51 slides
Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern

Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern

Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern Jacques.Stern@ens.fr Laboratoire dInformatique Ecole Normale Sup erieure 45, rue dUlm 75230 PARIS CEDEX 05 Security Proofs for

588 views • 12 slides
Designated Verifier Signature Schemes - An Overview Liina Kamm October 10, 2005 Structure

Designated Verifier Signature Schemes - An Overview Liina Kamm October 10, 2005 Structure

Designated Verifier Signature Schemes - An Overview Liina Kamm October 10, 2005 Structure The Jakobsson-Sako-Impagliazzo Scheme Security notions for DVS schemes DVS Scheme with tight reduction to DDH in NPRO Universal Designated

620 views • 42 slides
Enforcing honesty of certification authorities: Tagged one-time signature schemes Bertram

Enforcing honesty of certification authorities: Tagged one-time signature schemes Bertram

Enforcing honesty of certification authorities: Tagged one-time signature schemes Bertram Poettering and Douglas Stebila Information Security Group Royal Holloway, University of London bertram.poettering@rhul.ac.uk Stanford, January 11, 2013

454 views • 41 slides
A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for IT-Security Africacrypt 2010 1 / 13 RSA-Based Signature Schemes Na ve RSA signature scheme not secure under the standard definition of

647 views • 51 slides
Unique Aggregate Signatures with Applications to Distributed Verifiable Random Functions

Unique Aggregate Signatures with Applications to Distributed Verifiable Random Functions

Unique Aggregate Signatures with Applications to Distributed Verifiable Random Functions Veronika Kuchta and Mark Manulis CANS 2013, Paraty, Brazil November 21, 2013 Overview Unique Signature Schemes Verifiable Random Functions Unique

420 views • 13 slides
Signature Schemes from La2ces Ananth Raghunathan Stanford

Signature Schemes from La2ces Ananth Raghunathan Stanford

Signature Schemes from La2ces Ananth Raghunathan Stanford University ISI Kolkata, Jan 2012 Short Integer Solu5ons (SIS) A: Z m --> (Z q ) n m

279 views • 15 slides
The Methodology of Provable Security Marc Joye Thomson Security Labs marc.joye@thomson.net

The Methodology of Provable Security Marc Joye Thomson Security Labs marc.joye@thomson.net

The Methodology of Provable Security Marc Joye Thomson Security Labs marc.joye@thomson.net DIWALL Seminar March 20, 2008 Contents Part I Introduction Part II Signature Schemes Part III Encryption Schemes Part IV Conclusion Part I

463 views • 24 slides
Delegating a Product of Group Exponentiations with Application to Signature Schemes Presenter:

Delegating a Product of Group Exponentiations with Application to Signature Schemes Presenter:

Number-Theoretic Methods in Cryptology 2019 Delegating a Product of Group Exponentiations with Application to Signature Schemes Presenter: Giovanni Di Crescenzo Perspecta Labs Inc. (also doing business as Applied Communication Sciences)

548 views • 33 slides
On Key -collisions in (EC)DSA Schemes (1) Let ( m , S ) be a message and its signature.

On Key -collisions in (EC)DSA Schemes (1) Let ( m , S ) be a message and its signature.

On Key -collisions in (EC)DSA Schemes CRYPTO 2002 Rump Session Tom Rosa tomas.rosa@i.cz, http://crypto.hyperlink.cz ICZ, a.s. Dept. of Computer Science, CTU in Prague CZECH REPUBLIC On Key -collisions in (EC)DSA Schemes (1) Let ( m

519 views • 5 slides
LMS vs XMSS: Comparison of Stateful Hash-Based Signature Schemes on ARM Cortex-M4 12th

LMS vs XMSS: Comparison of Stateful Hash-Based Signature Schemes on ARM Cortex-M4 12th

LMS vs XMSS: Comparison of Stateful Hash-Based Signature Schemes on ARM Cortex-M4 12th International Conference on Cryptology, Africacrypt 2020 Fabio Campos 1 Tim Kohlstadt 1 Steffen Reith 1 ottinger 2 Marc St July 19, 2020 1 RheinMain

399 views • 29 slides
Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions

Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions

Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions Benot Libert 1 , 2 San Ling 3 Fabrice Mouhartem 1 Khoa Nguyen 3 Huaxiong Wang 3 1 .N.S. de Lyon, France 2 CNRS, France 3 Nanyang Technological

1.33k views • 92 slides
Group-Signature Schemes on Constrained Devices Raphael Spreitzer and J orn-Marc Schmidt

Group-Signature Schemes on Constrained Devices Raphael Spreitzer and J orn-Marc Schmidt

Group-Signature Schemes on Constrained Devices Raphael Spreitzer and J orn-Marc Schmidt Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria

335 views • 14 slides
On Deciding MUS Membership with QBF s Janota 1 Joao Marques-Silva 1 , 2 Mikol a 1

On Deciding MUS Membership with QBF s Janota 1 Joao Marques-Silva 1 , 2 Mikol a 1

On Deciding MUS Membership with QBF s Janota 1 Joao Marques-Silva 1 , 2 Mikol a 1 INESC-ID/IST, Lisbon, Portugal 2 CASL/CSI, University College Dublin, Ireland (INESC-ID & UCD) cmMUS 1 / 18 CNF and Unsatisfiability y , { x y ,

841 views • 46 slides
Hybrid Resources Workshop November 24, 2020 9:30am - 4:30pm California Public Utilities

Hybrid Resources Workshop November 24, 2020 9:30am - 4:30pm California Public Utilities

Capacity Valuation for BTM Hybrid Resources Workshop November 24, 2020 9:30am - 4:30pm California Public Utilities Commission Logistics Online and will be recorded Safety Note surroundings Audio through computer or phone

1.14k views • 84 slides
and lest his readers should over- estimate the unity and sanctity of the Christian body in those

and lest his readers should over- estimate the unity and sanctity of the Christian body in those

The narrator of Acts refuses to idolise his picture of the primitive community, and lest his readers should over- estimate the unity and sanctity of the Christian body in those early days, he has put on record here one of those accounts which

195 views • 6 slides
Best Practices to Bring Your eLearning Modules to Life Laura Schreiber, Professional Voice Over

Best Practices to Bring Your eLearning Modules to Life Laura Schreiber, Professional Voice Over

Best Practices to Bring Your eLearning Modules to Life Laura Schreiber, Professional Voice Over Actor and eLearning Narrator Columbia: Where we thought we were going and where it all started for me Low Library and Lawn at Columbia And

470 views • 8 slides
Processes and Threads Placement of Parallel Applications. Why, How and for What gain? Joint work

Processes and Threads Placement of Parallel Applications. Why, How and for What gain? Joint work

Processes and Threads Placement of Parallel Applications. Why, How and for What gain? Joint work with: Guillaume Mercier, Franois Tessier, Brice Goglin, Emmanuel Agulo, George Bosilca. COST spring School, Uppsala Emmanuel Jeannot Runtime

937 views • 75 slides
Asynchronous Parallel DLA in Concurrent Collections Aparna Chandramowlishwaran, Richard Vuduc

Asynchronous Parallel DLA in Concurrent Collections Aparna Chandramowlishwaran, Richard Vuduc

Asynchronous Parallel DLA in Concurrent Collections Aparna Chandramowlishwaran, Richard Vuduc Georgia Tech Kathleen Knobe Intel May 14, 2009 Workshop on Scheduling for Large-Scale Systems @ UTK 1 1 Motivation and goals Motivating

1.04k views • 61 slides
Neologism: Easy Vocabulary Publishing Cosmin Basca, Stphane Corlosquet, Richard Cyganiak,

Neologism: Easy Vocabulary Publishing Cosmin Basca, Stphane Corlosquet, Richard Cyganiak,

Neologism: Easy Vocabulary Publishing Cosmin Basca, Stphane Corlosquet, Richard Cyganiak, Sergio Fernndez, Thomas Schandl Two visions of the SW Logics Web Semantic Web Putting RDF documents on the Web RDF links, dereferenceable

288 views • 15 slides
Acts Series Lesson #118 August 6, 2013 Dean Bible Ministries www.deanbible.org Dr. Robert L.

Acts Series Lesson #118 August 6, 2013 Dean Bible Ministries www.deanbible.org Dr. Robert L.

Acts Series Lesson #118 August 6, 2013 Dean Bible Ministries www.deanbible.org Dr. Robert L. Dean, Jr. The Acts of the Apostles To the end of the earth Acts 1:8 Athens: GOD, Unknown gods, Stoics, Epicureans, Evolution, and the Chain

785 views • 77 slides

More recommend