signature schemes with efficient protocols and dynamic
play

Signature Schemes with Efficient Protocols and Dynamic Group - PowerPoint PPT Presentation

Mar 18, 2024 •406 likes •1.33k views

Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions Benot Libert 1 , 2 San Ling 3 Fabrice Mouhartem 1 Khoa Nguyen 3 Huaxiong Wang 3 1 .N.S. de Lyon, France 2 CNRS, France 3 Nanyang Technological

  1. Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions Benoît Libert 1 , 2 San Ling 3 Fabrice Mouhartem 1 Khoa Nguyen 3 Huaxiong Wang 3 1 É.N.S. de Lyon, France 2 CNRS, France 3 Nanyang Technological University, Singapore Asiacrypt, Hanoi, 06/12/2016 Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 1/30

  2. Privacy-Preserving Cryptography Important Goal: Anonymous authentication. Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 2/30

  3. Privacy-Preserving Cryptography Important Goal: Anonymous authentication. e.g. e-voting, e-cash, group signatures, anonymous credentials. . . Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 2/30

  4. Privacy-Preserving Cryptography Important Goal: Anonymous authentication. e.g. e-voting, e-cash, group signatures, anonymous credentials. . . Ingredients ◮ A signature scheme ◮ Zero-knowledge (ZK) proofs Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 2/30

  5. Privacy-Preserving Cryptography Important Goal: Anonymous authentication. e.g. e-voting, e-cash, group signatures, anonymous credentials. . . Ingredients ◮ A signature scheme ◮ Zero-knowledge (ZK) proofs compatible with this signature (no hash functions) Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 2/30

  6. Privacy-Preserving Cryptography Important Goal: Anonymous authentication. e.g. e-voting, e-cash, group signatures , anonymous credentials. . . Ingredients ◮ A signature scheme ◮ Zero-knowledge (ZK) proofs compatible with this signature (no hash functions) Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 2/30

  7. Group Signatures A user wants to take public transportations. Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 3/30

  8. Group Signatures A user wants to take public transportations. timestamp Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 3/30

  9. Group Signatures A user wants to take public transportations. signature ◮ Authenticity & Integrity Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 3/30

  10. Group Signatures A user wants to take public transportations. signature ??? ◮ Authenticity & Integrity ◮ Anonymity Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 3/30

  11. Group Signatures A user wants to take public transportations. signature ??? ◮ Authenticity & Integrity ◮ Anonymity Join ◮ Dynamicity Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 3/30

  12. Group Signatures A user wants to take public transportations. signature ◮ Authenticity & Integrity ◮ Anonymity Join ◮ Dynamicity ◮ Traceability POLICE Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 3/30

  13. Motivation Dynamic group signatures In dynamic group signatures, new group members can be introduced at any time. The dynamic group setting: Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 4/30

  14. Motivation Dynamic group signatures In dynamic group signatures, new group members can be introduced at any time. The dynamic group setting: ◮ Add users without re-running the Setup phase; Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 4/30

  15. Motivation Dynamic group signatures In dynamic group signatures, new group members can be introduced at any time. The dynamic group setting: ◮ Add users without re-running the Setup phase; ◮ Even if everyone, including authorities, is dishonest, no one can sign in your name; Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 4/30

  16. Motivation Dynamic group signatures In dynamic group signatures, new group members can be introduced at any time. The dynamic group setting: ◮ Add users without re-running the Setup phase; ◮ Even if everyone, including authorities, is dishonest, no one can sign in your name; ◮ Most use cases require dynamic groups (e.g., anonymous access control in buildings). Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 4/30

  17. Anonymous Credentials (Chaum’85, Camenisch-Lysyanskya’01) Principle (e.g., U-Prove, Idemix) Involves Authority , Users and Verifiers . ◮ User dynamically obtains credentials from an authority under a pseudonym (= commitment to a digital identity) ◮ . . . and can dynamically prove possession of credentials using different ( unlinkable ) pseudonyms Different flavors : one-show/multi-show credentials, attribute-based access control,. . . Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 5/30

  18. Anonymous Credentials (Chaum’85, Camenisch-Lysyanskya’01) Principle (e.g., U-Prove, Idemix) Involves Authority , Users and Verifiers . ◮ User dynamically obtains credentials from an authority under a pseudonym (= commitment to a digital identity) ◮ . . . and can dynamically prove possession of credentials using different ( unlinkable ) pseudonyms Different flavors : one-show/multi-show credentials, attribute-based access control,. . . General construction from signature with efficient protocols: ◮ Authority gives a user a signature on a committed message; ◮ User proves that same secret underlies different pseudonyms; ◮ User proves that he possesses a message-signature pair. Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 5/30

  19. Signature with Efficient Protocols Signature Scheme with Efficient Protocols (Camenisch-Lysyanskya, SCN’02 ) Signer Verifier Sign Verify Message Message Signature Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 6/30

  20. Signature with Efficient Protocols Signature Scheme with Efficient Protocols (Camenisch-Lysyanskya, SCN’02 ) Signer Verifier Sign Verify Open Message Message Signature ◮ Protocol for signing committed messages Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 6/30

  21. Signature with Efficient Protocols Signature Scheme with Efficient Protocols (Camenisch-Lysyanskya, SCN’02 ) Signer Verifier Sign Verify Open Message Message Signature ZKPoK PoK ◮ Protocol for signing committed messages ◮ Proof of Knowledge (PoK) of (Message; Signature) Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 6/30

  22. Lattice-Based Cryptography Lattice A lattice is a discrete subgroup of R n . Can be seen as integer linear combinations of a finite set of vectors. �� � Λ( b 1 , . . . , b n ) = i ≤ n a i b i | a i ∈ Z Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 7/30

  23. Lattice-Based Cryptography Lattice A lattice is a discrete subgroup of R n . Can be seen as integer linear combinations of a finite set of vectors. �� � Λ( b 1 , . . . , b n ) = i ≤ n a i b i | a i ∈ Z Why? ◮ Simple and efficient; ◮ Still conjectured quantum-resistant; ◮ Connection between average-case and worst-case problems; ◮ Powerful functionalities (e.g., FHE). → Finding a non-zero short vector in a lattice is hard. Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 7/30

  24. Hardness Assumptions: SIS and LWE Parameters : n dimension, m ≥ n , q modulus. ֓ U ( Z m × n For A ← ) : q Small Integer Solution Learning With Errors x s + e , A A = 0 [ q ] A m n ֓ Z n s ← e small error q � � Goal: Given A ∈ Z m × n , find Goal: Given A , A s + e , q x ∈ Z m \{ 0 } small find s ∈ Z n q Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 8/30

  25. Group Signatures: History 1991 Chaum and van Heyst : introduction 2000 Ateniese, Camenisch, Joye and Tsudik : first scalable solution 2003 Bellare, Micciancio and Warinschi : model for static groups Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 9/30

  26. Group Signatures: History 1991 Chaum and van Heyst : introduction 2000 Ateniese, Camenisch, Joye and Tsudik : first scalable solution 2003 Bellare, Micciancio and Warinschi : model for static groups 2004 Kiayias and Yung : model for dynamic groups 2004 Bellare, Shi and Zhang : model for dynamic groups Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 9/30

  27. Group Signatures: History 1991 Chaum and van Heyst : introduction 2000 Ateniese, Camenisch, Joye and Tsudik : first scalable solution 2003 Bellare, Micciancio and Warinschi : model for static groups 2004 Kiayias and Yung : model for dynamic groups 2004 Bellare, Shi and Zhang : model for dynamic groups 2010 Gordon, Katz and Vaikuntanathan : first lattice -based scheme 2013 Laguillaumie, Langlois, Libert and Stehlé : log-size signatures from lattices Fabrice Mouhartem Signatures with Efficient Protocols and Lattice-Based Dynamic GS 06.12.2016 9/30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is publicly verifiable Unforgeable 2 A Digital Signature Scheme Key generation algorithm G (probabilistic) ( pk, sk ) G (1 ) security

602 views • 22 slides
Signature Schemes from La2ces Ananth Raghunathan Stanford

Signature Schemes from La2ces Ananth Raghunathan Stanford

Signature Schemes from La2ces Ananth Raghunathan Stanford University ISI Kolkata, Jan 2012 Short Integer Solu5ons (SIS) A: Z m --> (Z q ) n m

279 views • 15 slides
Designated Verifier Signature Schemes - An Overview Liina Kamm October 10, 2005 Structure

Designated Verifier Signature Schemes - An Overview Liina Kamm October 10, 2005 Structure

Designated Verifier Signature Schemes - An Overview Liina Kamm October 10, 2005 Structure The Jakobsson-Sako-Impagliazzo Scheme Security notions for DVS schemes DVS Scheme with tight reduction to DDH in NPRO Universal Designated

620 views • 42 slides
Delegating a Product of Group Exponentiations with Application to Signature Schemes Presenter:

Delegating a Product of Group Exponentiations with Application to Signature Schemes Presenter:

Number-Theoretic Methods in Cryptology 2019 Delegating a Product of Group Exponentiations with Application to Signature Schemes Presenter: Giovanni Di Crescenzo Perspecta Labs Inc. (also doing business as Applied Communication Sciences)

548 views • 33 slides
Dynamic Storage Dynamic Storage Federation Federation based on open protocols based on open

Dynamic Storage Dynamic Storage Federation Federation based on open protocols based on open

EGI Community Forum 2013 Dynamic Storage Dynamic Storage Federation Federation based on open protocols based on open protocols Oliver Keeble Adrien Devresse Ricardo Brito da Rocha (presenter) Alejandro Alvarez Fabrizio Furano Patrick

444 views • 21 slides
On Key -collisions in (EC)DSA Schemes (1) Let ( m , S ) be a message and its signature.

On Key -collisions in (EC)DSA Schemes (1) Let ( m , S ) be a message and its signature.

On Key -collisions in (EC)DSA Schemes CRYPTO 2002 Rump Session Tom Rosa tomas.rosa@i.cz, http://crypto.hyperlink.cz ICZ, a.s. Dept. of Computer Science, CTU in Prague CZECH REPUBLIC On Key -collisions in (EC)DSA Schemes (1) Let ( m

519 views • 5 slides
Efficient Redactable Signature and Application to Anonymous Credentials Olivier Sanders Orange

Efficient Redactable Signature and Application to Anonymous Credentials Olivier Sanders Orange

Efficient Redactable Signature and Application to Anonymous Credentials Olivier Sanders Orange Labs PKC 2020 Context PKC 2020 p 2 Digital Signature Digital signature can be used to authenticate digital data ... Name Birthdate Address

437 views • 33 slides
LMS vs XMSS: Comparison of Stateful Hash-Based Signature Schemes on ARM Cortex-M4 12th

LMS vs XMSS: Comparison of Stateful Hash-Based Signature Schemes on ARM Cortex-M4 12th

LMS vs XMSS: Comparison of Stateful Hash-Based Signature Schemes on ARM Cortex-M4 12th International Conference on Cryptology, Africacrypt 2020 Fabio Campos 1 Tim Kohlstadt 1 Steffen Reith 1 ottinger 2 Marc St July 19, 2020 1 RheinMain

399 views • 29 slides
Group-Signature Schemes on Constrained Devices Raphael Spreitzer and J orn-Marc Schmidt

Group-Signature Schemes on Constrained Devices Raphael Spreitzer and J orn-Marc Schmidt

Group-Signature Schemes on Constrained Devices Raphael Spreitzer and J orn-Marc Schmidt Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria

335 views • 14 slides
Enforcing honesty of certification authorities: Tagged one-time signature schemes Bertram

Enforcing honesty of certification authorities: Tagged one-time signature schemes Bertram

Enforcing honesty of certification authorities: Tagged one-time signature schemes Bertram Poettering and Douglas Stebila Information Security Group Royal Holloway, University of London bertram.poettering@rhul.ac.uk Stanford, January 11, 2013

454 views • 41 slides
Modification tolerant signature schemes: location and correction Thais Bardini Idalino, Lucia

Modification tolerant signature schemes: location and correction Thais Bardini Idalino, Lucia

Modification tolerant signature schemes: location and correction Thais Bardini Idalino, Lucia Moura, Carlisle Adams tbardini@sfu.ca, lmoura@uottawa.ca, cadams@uottawa.ca Indocrypt, December 17th 2019 1/31 Introduction MTSS Digital Signatures

637 views • 35 slides
Formally Certifying the Security of Digital Signature Schemes Santiago Zanella 1 , 2 Benjamin

Formally Certifying the Security of Digital Signature Schemes Santiago Zanella 1 , 2 Benjamin

Formally Certifying the Security of Digital Signature Schemes Santiago Zanella 1 , 2 Benjamin Grgoire 1 , 2 Gilles Barthe 3 Federico Olmedo 3 1 Microsoft Research - INRIA Joint Centre, France 2 INRIA Sophia Antipolis - Mditerrane, France 3

837 views • 51 slides
Flaws in Applying Proof Methodologies to Signature Schemes Jacques Stern - David Pointcheval

Flaws in Applying Proof Methodologies to Signature Schemes Jacques Stern - David Pointcheval

Flaws in Applying Proof Methodologies to Signature Schemes Jacques Stern - David Pointcheval Ecole normale suprieure - France John Malone-Lee - Nigel Smart University of Bristol - UK Summary Summary The methodology of provable

479 views • 12 slides
Harnessing Biased Faults in Attacks on ECC-based Signature Schemes Kimmo Jrvinen 1 , Cline

Harnessing Biased Faults in Attacks on ECC-based Signature Schemes Kimmo Jrvinen 1 , Cline

Harnessing Biased Faults in Attacks on ECC-based Signature Schemes Kimmo Jrvinen 1 , Cline Blondeau 1 , Dan Page 2 , Michael Tunstall 2 1 Aalto University, Department of Information and Computer Science, Finland 2 University of Bristol,

590 views • 39 slides
1 Pitfalls of Lock-Based Protocols (Cont.) The Two-Phase Locking Protocol The potential for

1 Pitfalls of Lock-Based Protocols (Cont.) The Two-Phase Locking Protocol The potential for

Concurrency Control Lock-Based Protocols Timestamp-Based Protocols Lecture 9 Concurrency Control Validation-Based Protocols Multiple Granularity Multiversion Schemes Deadlock Handling Chapter 16 Insert and Delete

780 views • 8 slides
A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for IT-Security Africacrypt 2010 1 / 13 RSA-Based Signature Schemes Na ve RSA signature scheme not secure under the standard definition of

647 views • 51 slides
ICANN 57 Tech Day Nomulus What is Nomulus The registry platform that powers Googles TLDs

ICANN 57 Tech Day Nomulus What is Nomulus The registry platform that powers Googles TLDs

ICANN 57 Tech Day Nomulus What is Nomulus The registry platform that powers Googles TLDs and takes advantage of the scalability and easy operation of Google Cloud Platform Runs on Google App Engine and backed by Google Cloud

372 views • 12 slides
NOCOE Peer Exchange Funding/Ops Funding/Ops Innovations: Innovations: P3s P3s Overview

NOCOE Peer Exchange Funding/Ops Funding/Ops Innovations: Innovations: P3s P3s Overview

NOCOE Peer Exchange Funding/Ops Funding/Ops Innovations: Innovations: P3s P3s Overview Overview CDOTs High Performance Transportation Enterprise (HPTE), for P3s and to finance projects CDOTs first P3 project on the US 36

513 views • 6 slides
Interaction Protocols Martin Thompson - @mjpt777 Code Are protocols the most significant human

Interaction Protocols Martin Thompson - @mjpt777 Code Are protocols the most significant human

Interaction Protocols Martin Thompson - @mjpt777 Code Are protocols the most significant human discovery? protocol noun \ pr -t - k l \ Source: http://www.merriam-webster.com/ protocol noun \ pr -t - k l \ : a code

1.19k views • 99 slides
Kane County Case Management System Assessment Project URL Integration Project Update April

Kane County Case Management System Assessment Project URL Integration Project Update April

Kane County Case Management System Assessment Project URL Integration Project Update April 14, 2011 Amir Holmes, Senior Business Analyst & Project Manager Presentation Overview Review of Original Project Goals & Tasks Status

199 views • 15 slides
An International Protocol for the implementation of the Human Rights to Water and Sanitation

An International Protocol for the implementation of the Human Rights to Water and Sanitation

An International Protocol for the implementation of the Human Rights to Water and Sanitation www.waterhumanrighttreaty.org 1 1 WHO ARE THE PROMOTERS Italian Committee for a World Water Contract (CICMA) A non profit organization committed

295 views • 28 slides
Competitiveness and Diversification of Services Export in Sub-Saharan Africa: The Case of East

Competitiveness and Diversification of Services Export in Sub-Saharan Africa: The Case of East

Maureen Were (UNU-WIDER) and Maureen Odongo (CBK) Competitiveness and Diversification of Services Export in Sub-Saharan Africa: The Case of East African Community AERC Review Workshop for Collaborative Research Project Rethinking Regional

514 views • 25 slides
Regional Economic Communities Community Samuel O Oloruntoba and the fight against corruption in

Regional Economic Communities Community Samuel O Oloruntoba and the fight against corruption in

An Analysis of the roles of Southern African Development Regional Economic Communities Community Samuel O Oloruntoba and the fight against corruption in Thabo Mbeki African Leadership Institute, University of South Africa Presented at the

491 views • 19 slides
Briefing Series The Paris Climate Agreement November 18, 2015 Road Through Paris Briefing #5:

Briefing Series The Paris Climate Agreement November 18, 2015 Road Through Paris Briefing #5:

Road Through Paris Briefing Series The Paris Climate Agreement November 18, 2015 Road Through Paris Briefing #5: The Paris Climate Agreement Edward Elliot Diringer Yamide Dagnet Cameron Managing Executive Senior Associate, Director,

650 views • 43 slides

More recommend