Efficient Sequential Aggregate Signed Data
24
Efficient Sequential Aggregate Signed Data Gregory Neven IBM Zurich Research Laboratory work done while at K.U.Leuven
description
Efficient Sequential Aggregate Signed Data. Gregory Neven IBM Zurich Research Laboratory work done while at K.U.Leuven. Digital signatures. (pk,sk) ← KeyGen(). (pk),M, σ. σ ← Sign(sk,M). 0/1 ← Verify(pk,M,σ). Digital signatures. σ 1 ← Sign(sk 1 ,M 1 ). - PowerPoint PPT Presentation
Transcript of Efficient Sequential Aggregate Signed Data
Efficient Sequential Aggregate Signed Data
Gregory Neven
IBM Zurich Research Laboratory
work done while at K.U.Leuven
2
Digital signatures
(pk),M,σσ ← Sign(sk,M)
0/1 ← Verify(pk,M,σ)
(pk,sk) ← KeyGen()
3
Digital signatures
…
(pk1,…,pkn),M1,…,Mn, σ1,…, σn
σ1 ← Sign(sk1,M1)
σn ← Sign(skn,Mn)
σ1
σni : 0/1 ← Verify(pki,Mi,σi)
A
4
Aggregate signatures (AS)
…
(pk1,…,pkn),M1,…,Mn, σ
σ1 ← Sign(sk1,M1)
σn ← Sign(skn,Mn)
σ1
σnσ ← Agg(σ1,…,σn)
Goal: |σ| < |σ1| + … + |σn| , preferably constant
Motivation: certificate chainssecure routing protocolssave bandwidth (= battery life) for wireless devices
0/1 ← Verify(pk,M,σ)
[BGLS03]
5
Sequential aggregate signatures (SAS)
σ1 ← Sign(sk1,M1)
…
(pk1,…,pkn),M1,…,Mn, σ
σ2 ← Sign(sk2,M2,σ1)
σ1
σn-1
σ = σn ← Sign(skn,Mn,σn-1)
Goal: |σ| < |σ1| + … + |σn| , preferably constant
Motivation: certificate chainssecure routing protocolssave bandwidth (= battery life) for wireless devices
0/1 ← Verify(pk,M,σ)
[LMRS04]
6
Existing (S)AS schemes
Scheme Type Based on Key model RO
BGLS AS pairings plain Y
LMRS SAS RSA plain Y
LOSSW SAS pairings KoSK N
7
Drawbacks of existing schemes Current drawbacks of pairings (BGLS, LOSSW)
trust in assumptions vs. factoring, RSA no standardization implementations
Rather inefficient verification (BGLS, LMRS) BGLS: n pairings LMRS: certified claw-free trapdoor permutations
instantiation from RSA requires e > N
→ verification = signing = n full-length exps
Weak key setup model (LOSSW)
plain public-key vs. knowledge of secret key (KOSK)
8
cert1 ← Sign(sk1, ID2||pk2)
cert2 ← Sign(sk2, IDU||pk, cert1)
cert1
cert2
σ ← Sign(sk, M, cert2)
1
2
U
Drawbacks of existing schemes Security parameter flexibility (BGLS, LMRS, LOSSW)
e.g. certificate chains
BGLS, LOSSW: no flexibility whatsoever LMRS: increasing modulus size only
→ exact opposite of what we need No (S)AS schemes for currently existing keys/certificates!
secu
rity
leve
l
9
Our contributions
Generalization of SAS to SASD
SASD scheme with instantations from low-exponent RSA and factoring efficient signing (1 exp + O(n) mult) and
verification (O(n) mult) full flexibility in modulus size compatible with existing RSA/Rabin keys and certificates
Pure SAS scheme with same properties
Generalization of multi-signatures to multi-signed data (MSD) Non-interactive MSD scheme from RSA and factoring
(no pairings)
10
Sequential aggregate signatures
σ1 ← Sign(sk1,M1)
… σ2 ← Sign(sk2,M2,σ1)
σ1
σn-1
σ = σn ← Sign(skn,Mn,σn-1)
Goal: |σ| < |σ1| + … + |σn|
(pk1,…,pkn),M1,…,Mn, σ
0/1 ← Verify(pk,M,σ)
[LMRS04]
11
Sequential aggregate signed data (SASD)
Σ1 ← Sign(sk1,M1)
…
Σ
(pk,M)/ ← Verify(Σ)
Σ2 ← Sign(sk2,M2,Σ1)
Σ1
Σn-1
Σ = Σn ← Sign(skn,Mn,Σn-1)
Goal: minimize “net overhead” |Σ| – |M1| – … – |Mn|
┴
12
SASD scheme intuition
Step 1. Full-domain hash with message recovery
Trapdoor permutation π, message M = m||µ
H
G
=
π -1
net overhead ≈ 160 bits
m µ
X hm
=
=Σ
M
13
SASD scheme intuition
m µ
X h
Step 1. Full-domain hash with message recovery
Trapdoor permutation π, message M = m||µ
H
G
m
π
net overhead ≈ 160 bits
=?
=
=Σ
M
14
SASD scheme intuition
m1 µ1
X1 h1
H
G
=
m1=
-1π
m2 µ2
X2 h2
H
G
m2
-1π
net overhead ≈ 2×160 = 320 bits
Step 2. Aggregating the hashes
Σ1
M1
=
=Σ2
M2
1
2
15
SASD scheme intuition
m1 µ1
G-1π
m2 µ2
G-1π
net overhead ≈ 160 bits
H
H
Step 2. Aggregating the hashes (intuition only – insecure!)
X1 h1
=
m1=
X2 h2m2
Σ1
M1
=
=Σ2
M2
1
2
16
SASD scheme intuition
m1 µ1
G
π
m2 µ2
G
π
net overhead ≈ 160 bits
=?
H
H
Step 2. Aggregating the hashes (intuition only – insecure!)
X1 h1
=
m1=
X2 h2m2
Σ1
M1
=
=Σ2
M2
1
2
17
SASD scheme intuition
m1 µ1
X1 h1
Step 3. Recovering any type of data (intuition only – insecure!)
G
=
m1=
-1π
M2
X2 h2
G
M2
-1π
net overhead ≈ 160 bits
H
H
X1
=
=Σ1
M1
=Σ2
1
2
18
The SASD scheme
Step 4. Getting the details right: see paper.
Theorem. If there exists a forger that (t,qS,qH,qG,n,ε)-breaks SASD in the random oracle model, then there exists an algorithm that (t’,ε’)-finds a claw in Π, where
πmaxSmaxH
L
2SmaxGH
S
tn)1q(n2q)2d/1(t't
2
))1q(n2qq(4
)1q(e
ε'ε
19
Comparison of SAS(D) schemes
Scheme Based onOverhead
(– |pk|)Sign Verify
BGLS pairings 160 1 E n P
LOSSW pairings 320 2 P + 160n M 2 P + 160n M
LMRS RSA 1024 n E n E
SASDRSA,
factoring160…1184 1 E + 2n M 2n M
SASRSA,
factoring1184 1 E + 2n M 2n M
P = pairing E = exponentiation M = multiplication
n = #signatures in aggregate
20
Non-interactive multi-signatures (MS)
Sign(sk1,M)
Sign(skn,M)
…(pk1,…,pkn), M, σ
Σ ← Agg(σ1,…, σn)
Goal: |σ| < |σ1| + … + |σn|
n signatures on same message M
σ1
σn0/1 ← Verify(pk,M,σ)
21
Non-interactive multi-signed data (MSD)
Sign(sk1,M)
Sign(skn,M)
…Σ
Σ ← Agg(Σ1,…, Σn)
Goal: minimize “net overhead” |Σ| – |M|
n signatures on same message M
Σ1
Σn(pk,M)/ ← Verify(Σ)┴
22
MSD scheme
m1 µ1
h
H
G
=
-1π
Each partial signature contains part of M
M m2 m3µ2 µ3 m4
G-1π
G-1π
m1 Σ1=Σ m2 m3Σ2 Σ3 m4
net overhead ≈ 160 bits
Who takes which part of M? Fully non-interactive: pos = hash(πi,M)
Known co-signers: fixed (e.g. lexicographic) order
1
2
3
23
Comparison of MS(D) schemes
Scheme Based onOverhead
(– |pk|)Sign Verify
Bol pairings 160 1 E 2 P + n M
LOSSW pairings 320 2 E + 160 M2 P +
(160+n) M
MSDRSA,
factoring160 …
1024n + 1601 E + 2n M 2n M
P = pairing E = exponentiation M = multiplication
n = #signatures in aggregate
24
Closing remarks
In summary: propose SAS, SASD, MSD schemes first based on low-exponent RSA and factoring outperform existing schemes in many respects free choice of modulus size work with existing RSA/Rabin keys
Tight reduction using Katz-Wang, or next talk
Full version: ePrint Report 2008/063
