outline round optimal waters blind signatures
play

Outline Round-Optimal Waters Blind Signatures David Pointcheval 1 - PowerPoint PPT Presentation

Mar 26, 2024 •237 likes •366 views

Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Outline Round-Optimal Waters Blind Signatures David Pointcheval 1 Introduction Joint

  1. Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Outline Round-Optimal Waters Blind Signatures David Pointcheval 1 Introduction Joint work with Olivier Blazy, Georg Fuchsbauer and Damien Vergnaud 2 Cryptographic Tools Ecole normale sup´ erieure, CNRS & INRIA 3 Signatures on Randomizable Ciphertexts 4 Blind Signatures Institute of Advanced Studies of Tsinghua University Beijing – China – October 18th, 2010 David Pointcheval – 1/45 David Pointcheval – 2/45 Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Electronic Cash Outline Electronic Cash Electronic Coins [Chaum, 1981] Expected properties: Introduction 1 Electronic Cash coins are signed by the bank, for unforgeability Blind Signatures coins must be distinct to detect/avoid double-spending the bank should not know to whom it gave a coin, for anonymity 2 Cryptographic Tools Electronic Cash 3 Signatures on Randomizable Ciphertexts The process is the following one: Withdrawal: the user gets a coin c from the bank 4 Blind Signatures Spending: the user spends a coin c in a shop Deposit: the shop gives back the money to the bank David Pointcheval – 3/45 David Pointcheval – 4/45

  2. Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Blind Signatures Blind Signatures Blind Signatures Blind Signatures We thus want: We thus want: Anonymity: the bank cannot link a withdrawal to a deposit Anonymity: the bank cannot link a withdrawal to a deposit to know where a user spent a coin to know where a user spent a coin → blind signature → blind signature No double-spending: a coin should not be used twice No double-spending: a coin should not be used twice → fair blind signature → fair blind signature Perfectly Blind Signatures Computationally/Fair Blind Signatures A blind signature allows a user to get a message m Unlinkability between the signing process and the pair ( m , σ ) is signed by an authority into σ so that the authority (even powerful) either computational, or even revocable (fair blind signatures). cannot recognize later the pair ( m , σ ) . The latter property allows to know/trace the defrauder after double-spending detection. David Pointcheval – 5/45 David Pointcheval – 6/45 Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Blind Signatures Blind Signatures Blind RSA Blind Signatures and NIZK [Chaum, 1981] [Fischlin, 2006] The easiest way for blind signatures, is to blind the message: Fischlin Approach To get an FDH RSA signature on m under RSA public key ( n , e ) , To get a signature on m , The user computes a blind version of the hash value: The user commits m into c M = H ( m ) and M ′ = M · r e mod n The signer signs c into σ The signer signs M ′ into σ ′ = M ′ d mod n The user generates a NIZK proof of knowledge of c and σ , The user unblinds the signature: σ = σ ′ / r mod n valid with respect to m and the signer public key Indeed, This can be instantiated within the Groth-Sahai methodology σ = σ ′ / r = M ′ d / r = ( M · r e ) d / r = M d · r / r = M d mod n This method is in the same vein as the Blind RSA: The user commits m into c : blinding of the message → Proven under the One-More RSA Assumption The signer signs c into σ : signature on the blinded message [Bellare, Namprempre, Pointcheval, Semanko, 2001] The user generates a NIZK proof of knowledge of c and σ → Perfectly blind signature → Could we do an unblinding? David Pointcheval – 7/45 David Pointcheval – 8/45

  3. Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Computational Assumptions Outline Assumptions: Diffie-Hellman Definition (The Computational Diffie-Hellman problem ( CDH )) Introduction 1 G a cyclic group of prime order p . The CDH assumption in G states: Cryptographic Tools for any generator g $ ← G , and any scalars a , b $ 2 ← Z ∗ p , Computational Assumptions given ( g , g a , g b ) , it is hard to compute g ab . Signature & Encryption Security Definition (The Decisional Diffie-Hellman problem ( DDH )) Groth-Sahai Methodology G a cyclic group of prime order p . The DDH assumption in G states: Signatures on Randomizable Ciphertexts 3 for any generator g $ ← G , and any scalars a , b , c $ ← Z ∗ p , given ( g , g a , g b , g c ) , it is hard to decide whether c = ab or not. Blind Signatures 4 In some pairing-friendly groups, the latter assumption is wrong. David Pointcheval – 9/45 David Pointcheval – 10/45 Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Computational Assumptions Signature & Encryption Assumptions: Linear Problem General Tools: Signature Definition (Decision Linear Assumption ( DLin )) Definition (Signature Scheme) G a cyclic group of prime order p . S = ( Setup , SKeyGen , Sign , Verif ) : The DLin assumption states: Setup ( 1 k ) → global parameters param ; for any generator g $ ← G , and any scalars a , b , x , y , c $ ← Z ∗ p , SKeyGen ( param ) → pair of keys ( sk , vk ) ; given ( g , g x , g y , g xa , g yb , g c ) , Sign ( sk , m ; s ) → signature σ , using the random coins s ; it is hard to decide whether c = a + b or not. Verif ( vk , m , σ ) → validity of σ Equivalently, given a reference triple ( u = g x , v = g y , g ) and a new triple ( U = u a = g xa , V = v b = g yb , T = g c ) , If one signs F = F ( M ) , for any function F , one extends the above decide whether T = g a + b or not (that is c = a + b ). definitions: Sign ( sk , ( F , F , Π M ); s ) and Verif ( vk , ( F , F , Π M ) , σ ) where F details the function that is applied to the message M yielding F , and Π M is a proof of knowledge of a preimage of F under F . David Pointcheval – 11/45 David Pointcheval – 12/45

  4. Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Signature & Encryption Signature & Encryption Signature: Example General Tools: Encryption In a group G of order p , with a generator g , Definition (Encryption Scheme) and a bilinear map e : G × G → G T E = ( Setup , EKeyGen , Encrypt , Decrypt ) : Waters Signature [Waters, 2005] Setup ( 1 k ) → global parameters param ; For a message M = ( M 1 , . . . , M k ) ∈ { 0 , 1 } k , EKeyGen ( param ) → pair of keys ( pk , dk ) ; u = ( u 0 , . . . , u k ) $ � k i = 1 u M i we define F ( M ) = u 0 i , where � ← G k + 1 . Encrypt ( pk , m ; r ) → ciphertext c , using the random coins r ; For an additional generator h $ ← G . Decrypt ( dk , c ) → plaintext, or ⊥ if the ciphertext is invalid. SKeyGen : vk = X = g x , sk = Y = h x , for x $ ← Z p ; Sign ( sk = Y , M ; s ) , for M ∈ { 0 , 1 } k and s $ ← Z p Homomorphic Encryption � σ 1 = Y · F ( M ) s , σ 2 = g − s � → σ = ; For some group laws: ⊕ on the plaintext, ⊗ on the ciphertext, Verif ( vk = X , M , σ = ( σ 1 , σ 2 )) checks whether and ⊙ on the randomness e ( g , σ 1 ) · e ( F ( M ) , σ 2 ) = e ( X , h ) . Encrypt ( pk , m 1 ; r 1 ) ⊗ Encrypt ( pk , m 2 ; r 2 ) = Encrypt ( pk , m 1 ⊕ m 2 ; r 1 ⊙ r 2 ) Decrypt ( sk , Encrypt ( pk , m 1 ; r 1 ) ⊗ Encrypt ( pk , m 2 ; r 2 )) = m 1 ⊕ m 2 David Pointcheval – 13/45 David Pointcheval – 14/45 Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Signature & Encryption Security Encryption: Example Security Notions: Signature In a group G of order p , with a generator g : Signature: EF-CMA Linear Encryption [Boneh, Boyen, Shacham, 2004] Existential Unforgeability EKeyGen : dk = ( x 1 , x 2 ) $ under Chosen-Message ← Z 2 p , pk = ( X 1 = g x 1 , X 2 = g x 2 ) ; Attacks Encrypt ( pk = ( X 1 , X 2 ) , m ; ( r 1 , r 2 )) , for m ∈ G and ( r 1 , r 2 ) $ ← Z 2 p An adversary should not be c 1 = X r 1 1 , c 2 = X r 2 2 , c 3 = g r 1 + r 2 · m � � → c = ; able to generate a new valid m = c 3 / c 1 / x 1 c 1 / x 2 message-signature pair Decrypt ( dk = ( x 1 , x 2 ) , c = ( c 1 , c 2 , c 3 )) → . 1 2 even if it is allowed to ask signatures on any message Homomorphism of its choice ( ⊕ M = × , ⊗ C = × , ⊙ R = +) -homomorphism With m = g M → ( ⊕ M = + , ⊗ C = × , ⊙ R = +) -homomorphism Impossibility to forge signatures Waters signature reaches EF-CMA under the CDH assumption David Pointcheval – 15/45 David Pointcheval – 16/45

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Practical Round-Optimal Blind Signatures in the Standard Model from Weaker Assumptions G.

Practical Round-Optimal Blind Signatures in the Standard Model from Weaker Assumptions G.

Practical Round-Optimal Blind Signatures in the Standard Model from Weaker Assumptions G. Fuchsbauer , C. Hanser C. Kamath , and D. Slamanig Ecole Normale Sup erieure, Paris IAIK, Graz University of Technology,

391 views • 21 slides
Blind Signatures Sanjam Garg Vanishree Rao Amit Sahai UCLA Dominique Schroeder*

Blind Signatures Sanjam Garg Vanishree Rao Amit Sahai UCLA Dominique Schroeder*

Round Optimal Blind Signatures Sanjam Garg Vanishree Rao Amit Sahai UCLA Dominique Schroeder* Dominique Unruh University of Maryland University of Tartu (http://eprint.iacr.org/2011/264) *Postdoctoral Fellow of the DAAD Blind

1.15k views • 22 slides
Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler February 17,

Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler February 17,

Blind Signatures Ecash Fair Exchange Blind Coinswaps Tokens Conclusion Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler February 17, 2019 Blind Signatures in Scriptless Scripts Jonas Nick

607 views • 24 slides
Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler September 4,

Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler September 4,

Blind Signatures Ecash Fair Exchange Blind Coinswaps Tokens Conclusion Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler September 4, 2018 Blind Signatures in Scriptless Scripts Jonas Nick

374 views • 22 slides
On The Security of Unique- Witness Blind Signature Schemes December 2013 ASIACRYPT, Bangalore,

On The Security of Unique- Witness Blind Signature Schemes December 2013 ASIACRYPT, Bangalore,

On The Security of Unique- Witness Blind Signature Schemes December 2013 ASIACRYPT, Bangalore, India Foteini Baldimtsi, Anna Lysyanskaya 2 Blind Signatures [Chaum'82] Blind signatures are a special type of digital signatures. Signer is

439 views • 33 slides
Strengthened Security for Blind Signatures David Pointcheval Laboratoire dInformatique

Strengthened Security for Blind Signatures David Pointcheval Laboratoire dInformatique

Strengthened Security for Blind Signatures David Pointcheval Laboratoire dInformatique Ecole Normale Suprieure David.Pointcheval@ens.fr http://www.dmi.ens.fr/pointche Strengthened Security for Blind Signatures Summary Blind

370 views • 9 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-05-12 1 Outline Recap: programmable hash functions Waters PHF Waters signatures Digital Signatures 2020-05-12 2

1.02k views • 71 slides
Synchronized Aggregate Signatures from the RSA Assumption Brent Waters Susan Hohenberger

Synchronized Aggregate Signatures from the RSA Assumption Brent Waters Susan Hohenberger

Synchronized Aggregate Signatures from the RSA Assumption Brent Waters Susan Hohenberger Aggregate Signatures [Boneh-Gentry-Lynn-Shacham03] Idea: Compress several signatures into one PK 3 PK 1 PK 2 PK n M 3 M 1 M 2 M n Sig 1 Sig 2 Sig

646 views • 23 slides
Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of

Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of

Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of Round-Optimal Blind Signatures Sarah Meiklejohn (UC San Diego) Hovav Shacham (UC San Diego) David Mandell Freeman (Stanford University) 1 Elliptic curves:

1.09k views • 77 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-05-19 1 Outline Waters signatures Overview over course topics General remarks Digital Signatures 2020-05-19 2 Recap:

250 views • 20 slides
On the Security of Two-Round Multi-Signatures Manu Drijvers 1 , Kasra Edalatnejad 2 , Bryan Ford 2

On the Security of Two-Round Multi-Signatures Manu Drijvers 1 , Kasra Edalatnejad 2 , Bryan Ford 2

On the Security of Two-Round Multi-Signatures Manu Drijvers 1 , Kasra Edalatnejad 2 , Bryan Ford 2 , Eike Kiltz 3 , Julian Loss 3 , Gregory Neven 1 , Igors Stepanovs 4 1 DFINITY, 2 EPFL , 3 Ruhr-University Bochum, 4 UCSD Multi-signatures (pk 1 ,sk

635 views • 27 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-05-05 1 Outline More on BLS signatures Programmable Hash Functions Waters PHF Digital Signatures 2020-05-05 2

441 views • 13 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-05-05 1 Outline More on BLS signatures Programmable Hash Functions Waters PHF Digital Signatures 2020-05-05 2

1.3k views • 97 slides
Blind Signatures with flying colors Olivier Blazy XLim, Universit de Limoges Feb 2014 O.

Blind Signatures with flying colors Olivier Blazy XLim, Universit de Limoges Feb 2014 O.

Blind Signatures with flying colors Olivier Blazy XLim, Universit de Limoges Feb 2014 O. Blazy (XLim) Blind Sig Feb 2014 1 / 50 General Remarks 1 Building blocks 2 Non-Interactive Proofs of Knowledge 3 Interactive Implicit Proofs 4

1.24k views • 89 slides
New Blind Signatures Equivalent to Factorization David Pointcheval Jacques Stern

New Blind Signatures Equivalent to Factorization David Pointcheval Jacques Stern

New Blind Signatures Equivalent to Factorization David Pointcheval Jacques Stern David.Pointcheval@info.unicaen.fr Jacques.Stern@ens.fr Universit e de Caen Ecole Normale Sup erieure GREYC Laboratoire dInformatique F 14000

378 views • 10 slides
Introduction Introduction CBM WATERS CBM WATERS CBM WATERS: CBM WATERS Characterization and

Introduction Introduction CBM WATERS CBM WATERS CBM WATERS: CBM WATERS Characterization and

10/27/2008 Introduction Introduction CBM WATERS CBM WATERS CBM WATERS: CBM WATERS Characterization and Affects on Water Quality Ecosystem Properties pH, EC, SAR, Alkalinity, Trace Elements pH determines acid-base nature of the

255 views • 8 slides
AssureSign and DocumentsCorePack: Professional e-Signature processing in Microsoft Dynamics 365

AssureSign and DocumentsCorePack: Professional e-Signature processing in Microsoft Dynamics 365

AssureSign and DocumentsCorePack: Professional e-Signature processing in Microsoft Dynamics 365 Agenda AssureSign & mscrm-addons.com AssureSign: Benefits of Electronic 1 Signature DocumentsCorePack for Dynamics 2 365 / CRM 3

222 views • 7 slides
Digital transformation & Drupal Drupal Europe 2018 Jeroen van den Berg Head of production,

Digital transformation & Drupal Drupal Europe 2018 Jeroen van den Berg Head of production,

Digital transformation & Drupal Drupal Europe 2018 Jeroen van den Berg Head of production, Burst Board member Dutch Drupal Association Teacher at Rotterdam University of Applied Sciences Advisory Board member at Rotterdam University of

811 views • 54 slides
How to Optimize Your HR Technology Spend to Deliver ROI for 2021 and Beyond John Tunney, SIG

How to Optimize Your HR Technology Spend to Deliver ROI for 2021 and Beyond John Tunney, SIG

Welcome to the SIG University Webinar Series How to Optimize Your HR Technology Spend to Deliver ROI for 2021 and Beyond John Tunney, SIG Hayes Stevens, BTR Corinna Nation, BTR October 27, 2020 REMINDERS 1. Slides and resources will be emailed

438 views • 14 slides
The Parliamentary Ombudsman for Public Administration Norway Stortingets ombudsmann for

The Parliamentary Ombudsman for Public Administration Norway Stortingets ombudsmann for

Stortingets ombudsmann Stortingets ombudsmann for forvaltningen for forvaltningen The Parliamentary Ombudsman for Public Administration Norway Stortingets ombudsmann for forvaltningen Freedom of information and the Norwegian Electronic

313 views • 14 slides
COVID 19 UPDATE 5-11-2020 How to use the Side Panel How do I see the screen under the side

COVID 19 UPDATE 5-11-2020 How to use the Side Panel How do I see the screen under the side

COVID 19 UPDATE 5-11-2020 How to use the Side Panel How do I see the screen under the side panel? The orange arrow closes and opens the side panel. How can I make my screen bigger? To have a bigger view of the screen, select the

144 views • 10 slides
10. Bayesian Statistics Andrej Bogdanov The Central Dogma of Statistics data = independent

10. Bayesian Statistics Andrej Bogdanov The Central Dogma of Statistics data = independent

ENGG 2430 / ESTR 2004: Probability and Sta.s.cs Spring 2019 10. Bayesian Statistics Andrej Bogdanov The Central Dogma of Statistics data = independent samples from some random variable (or several random variables) but we dont know

484 views • 32 slides
Western Union Fourth Quarter 2010 Earnings Webcast & Conference Call February 1, 2011 Mike

Western Union Fourth Quarter 2010 Earnings Webcast & Conference Call February 1, 2011 Mike

Western Union Fourth Quarter 2010 Earnings Webcast & Conference Call February 1, 2011 Mike Salop Senior Vice President, Investor Relations Safe Harbor This presentation contains certain statements that are forward-looking within the

643 views • 36 slides
Subcommittee on Standards Proposed Operating Rules for Standard Transactions for Prior

Subcommittee on Standards Proposed Operating Rules for Standard Transactions for Prior

Subcommittee on Standards Proposed Operating Rules for Standard Transactions for Prior Authorization and Connectivity for certain adopted standard transactions August 25-26, 2020 1 zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA Co-Chair

637 views • 11 slides

More recommend