Efficient Sequential Aggregate Signed Data

Gregory Neven

IBM Zurich Research Laboratory

work done while at K.U.Leuven

2

Digital signatures

(pk),M,σσ ← Sign(sk,M)

0/1 ← Verify(pk,M,σ)

(pk,sk) ← KeyGen()

3

Digital signatures

…

(pk1,…,pkn),M1,…,Mn, σ1,…, σn

σ1 ← Sign(sk1,M1)

σn ← Sign(skn,Mn)

σ1

σni : 0/1 ← Verify(pki,Mi,σi)

A

4

Aggregate signatures (AS)

…

(pk1,…,pkn),M1,…,Mn, σ

σ1 ← Sign(sk1,M1)

σn ← Sign(skn,Mn)

σ1

σnσ ← Agg(σ1,…,σn)

Goal: |σ| < |σ1| + … + |σn| , preferably constant

Motivation: certificate chainssecure routing protocolssave bandwidth (= battery life) for wireless devices

0/1 ← Verify(pk,M,σ)

[BGLS03]

5

Sequential aggregate signatures (SAS)

σ1 ← Sign(sk1,M1)

…

(pk1,…,pkn),M1,…,Mn, σ

σ2 ← Sign(sk2,M2,σ1)

σ1

σn-1

σ = σn ← Sign(skn,Mn,σn-1)

Goal: |σ| < |σ1| + … + |σn| , preferably constant

Motivation: certificate chainssecure routing protocolssave bandwidth (= battery life) for wireless devices

0/1 ← Verify(pk,M,σ)

[LMRS04]

6

Existing (S)AS schemes

Scheme Type Based on Key model RO

BGLS AS pairings plain Y

LMRS SAS RSA plain Y

LOSSW SAS pairings KoSK N

7

Drawbacks of existing schemes Current drawbacks of pairings (BGLS, LOSSW)

trust in assumptions vs. factoring, RSA no standardization implementations

Rather inefficient verification (BGLS, LMRS) BGLS: n pairings LMRS: certified claw-free trapdoor permutations

instantiation from RSA requires e > N

→ verification = signing = n full-length exps

Weak key setup model (LOSSW)

plain public-key vs. knowledge of secret key (KOSK)

8

cert1 ← Sign(sk1, ID2||pk2)

cert2 ← Sign(sk2, IDU||pk, cert1)

cert1

cert2

σ ← Sign(sk, M, cert2)

1

2

U

Drawbacks of existing schemes Security parameter flexibility (BGLS, LMRS, LOSSW)

e.g. certificate chains

BGLS, LOSSW: no flexibility whatsoever LMRS: increasing modulus size only

→ exact opposite of what we need No (S)AS schemes for currently existing keys/certificates!

secu

rity

leve

l

9

Our contributions

Generalization of SAS to SASD

SASD scheme with instantations from low-exponent RSA and factoring efficient signing (1 exp + O(n) mult) and

verification (O(n) mult) full flexibility in modulus size compatible with existing RSA/Rabin keys and certificates

Pure SAS scheme with same properties

Generalization of multi-signatures to multi-signed data (MSD) Non-interactive MSD scheme from RSA and factoring

(no pairings)

10

Sequential aggregate signatures

σ1 ← Sign(sk1,M1)

… σ2 ← Sign(sk2,M2,σ1)

σ1

σn-1

σ = σn ← Sign(skn,Mn,σn-1)

Goal: |σ| < |σ1| + … + |σn|

(pk1,…,pkn),M1,…,Mn, σ

0/1 ← Verify(pk,M,σ)

[LMRS04]

11

Sequential aggregate signed data (SASD)

Σ1 ← Sign(sk1,M1)

…

Σ

(pk,M)/ ← Verify(Σ)

Σ2 ← Sign(sk2,M2,Σ1)

Σ1

Σn-1

Σ = Σn ← Sign(skn,Mn,Σn-1)

Goal: minimize “net overhead” |Σ| – |M1| – … – |Mn|

┴

12

SASD scheme intuition

Step 1. Full-domain hash with message recovery

Trapdoor permutation π, message M = m||µ

H

G

=

π -1

net overhead ≈ 160 bits

m µ

X hm

=

=Σ

M

13

SASD scheme intuition

m µ

X h

Step 1. Full-domain hash with message recovery

Trapdoor permutation π, message M = m||µ

H

G

m

π

net overhead ≈ 160 bits

=?

=

=Σ

M

14

SASD scheme intuition

m1 µ1

X1 h1

H

G

=

m1=

-1π

m2 µ2

X2 h2

H

G

m2

-1π

net overhead ≈ 2×160 = 320 bits

Step 2. Aggregating the hashes

Σ1

M1

=

=Σ2

M2

1

2

15

SASD scheme intuition

m1 µ1

G-1π

m2 µ2

G-1π

net overhead ≈ 160 bits

H

H

Step 2. Aggregating the hashes (intuition only – insecure!)

X1 h1

=

m1=

X2 h2m2

Σ1

M1

=

=Σ2

M2

1

2

16

SASD scheme intuition

m1 µ1

G

π

m2 µ2

G

π

net overhead ≈ 160 bits

=?

H

H

Step 2. Aggregating the hashes (intuition only – insecure!)

X1 h1

=

m1=

X2 h2m2

Σ1

M1

=

=Σ2

M2

1

2

17

SASD scheme intuition

m1 µ1

X1 h1

Step 3. Recovering any type of data (intuition only – insecure!)

G

=

m1=

-1π

M2

X2 h2

G

M2

-1π

net overhead ≈ 160 bits

H

H

X1

=

=Σ1

M1

=Σ2

1

2

18

The SASD scheme

Step 4. Getting the details right: see paper.

Theorem. If there exists a forger that (t,qS,qH,qG,n,ε)-breaks SASD in the random oracle model, then there exists an algorithm that (t’,ε’)-finds a claw in Π, where

πmaxSmaxH

L

2SmaxGH

S

tn)1q(n2q)2d/1(t't

2

))1q(n2qq(4

)1q(e

ε'ε

19

Comparison of SAS(D) schemes

Scheme Based onOverhead

(– |pk|)Sign Verify

BGLS pairings 160 1 E n P

LOSSW pairings 320 2 P + 160n M 2 P + 160n M

LMRS RSA 1024 n E n E

SASDRSA,

factoring160…1184 1 E + 2n M 2n M

SASRSA,

factoring1184 1 E + 2n M 2n M

P = pairing E = exponentiation M = multiplication

n = #signatures in aggregate

20

Non-interactive multi-signatures (MS)

Sign(sk1,M)

Sign(skn,M)

…(pk1,…,pkn), M, σ

Σ ← Agg(σ1,…, σn)

Goal: |σ| < |σ1| + … + |σn|

n signatures on same message M

σ1

σn0/1 ← Verify(pk,M,σ)

21

Non-interactive multi-signed data (MSD)

Sign(sk1,M)

Sign(skn,M)

…Σ

Σ ← Agg(Σ1,…, Σn)

Goal: minimize “net overhead” |Σ| – |M|

n signatures on same message M

Σ1

Σn(pk,M)/ ← Verify(Σ)┴

22

MSD scheme

m1 µ1

h

H

G

=

-1π

Each partial signature contains part of M

M m2 m3µ2 µ3 m4

G-1π

G-1π

m1 Σ1=Σ m2 m3Σ2 Σ3 m4

net overhead ≈ 160 bits

Who takes which part of M? Fully non-interactive: pos = hash(πi,M)

Known co-signers: fixed (e.g. lexicographic) order

1

2

3

23

Comparison of MS(D) schemes

Scheme Based onOverhead

(– |pk|)Sign Verify

Bol pairings 160 1 E 2 P + n M

LOSSW pairings 320 2 E + 160 M2 P +

(160+n) M

MSDRSA,

factoring160 …

1024n + 1601 E + 2n M 2n M

P = pairing E = exponentiation M = multiplication

n = #signatures in aggregate

24

Closing remarks

In summary: propose SAS, SASD, MSD schemes first based on low-exponent RSA and factoring outperform existing schemes in many respects free choice of modulus size work with existing RSA/Rabin keys

Tight reduction using Katz-Wang, or next talk

Full version: ePrint Report 2008/063