Efficient Sequential Aggregate Signed Data
description
Transcript of Efficient Sequential Aggregate Signed Data
![Page 1: Efficient Sequential Aggregate Signed Data](https://reader035.fdocument.org/reader035/viewer/2022070413/56814c1e550346895db91fb9/html5/thumbnails/1.jpg)
Efficient Sequential Aggregate Signed Data
Gregory Neven
IBM Zurich Research Laboratory
work done while at K.U.Leuven
![Page 2: Efficient Sequential Aggregate Signed Data](https://reader035.fdocument.org/reader035/viewer/2022070413/56814c1e550346895db91fb9/html5/thumbnails/2.jpg)
2
Digital signatures
(pk),M,σσ ← Sign(sk,M)
0/1 ← Verify(pk,M,σ)
(pk,sk) ← KeyGen()
![Page 3: Efficient Sequential Aggregate Signed Data](https://reader035.fdocument.org/reader035/viewer/2022070413/56814c1e550346895db91fb9/html5/thumbnails/3.jpg)
3
Digital signatures
…
(pk1,…,pkn),M1,…,Mn, σ1,…, σn
σ1 ← Sign(sk1,M1)
σn ← Sign(skn,Mn)
σ1
σni : 0/1 ← Verify(pki,Mi,σi)
A
![Page 4: Efficient Sequential Aggregate Signed Data](https://reader035.fdocument.org/reader035/viewer/2022070413/56814c1e550346895db91fb9/html5/thumbnails/4.jpg)
4
Aggregate signatures (AS)
…
(pk1,…,pkn),M1,…,Mn, σ
σ1 ← Sign(sk1,M1)
σn ← Sign(skn,Mn)
σ1
σnσ ← Agg(σ1,…,σn)
Goal: |σ| < |σ1| + … + |σn| , preferably constant
Motivation: certificate chainssecure routing protocolssave bandwidth (= battery life) for wireless devices
0/1 ← Verify(pk,M,σ)
[BGLS03]
![Page 5: Efficient Sequential Aggregate Signed Data](https://reader035.fdocument.org/reader035/viewer/2022070413/56814c1e550346895db91fb9/html5/thumbnails/5.jpg)
5
Sequential aggregate signatures (SAS)
σ1 ← Sign(sk1,M1)
…
(pk1,…,pkn),M1,…,Mn, σ
σ2 ← Sign(sk2,M2,σ1)
σ1
σn-1
σ = σn ← Sign(skn,Mn,σn-1)
Goal: |σ| < |σ1| + … + |σn| , preferably constant
Motivation: certificate chainssecure routing protocolssave bandwidth (= battery life) for wireless devices
0/1 ← Verify(pk,M,σ)
[LMRS04]
![Page 6: Efficient Sequential Aggregate Signed Data](https://reader035.fdocument.org/reader035/viewer/2022070413/56814c1e550346895db91fb9/html5/thumbnails/6.jpg)
6
Existing (S)AS schemes
Scheme Type Based on Key model RO
BGLS AS pairings plain Y
LMRS SAS RSA plain Y
LOSSW SAS pairings KoSK N
![Page 7: Efficient Sequential Aggregate Signed Data](https://reader035.fdocument.org/reader035/viewer/2022070413/56814c1e550346895db91fb9/html5/thumbnails/7.jpg)
7
Drawbacks of existing schemes Current drawbacks of pairings (BGLS, LOSSW)
trust in assumptions vs. factoring, RSA no standardization implementations
Rather inefficient verification (BGLS, LMRS) BGLS: n pairings LMRS: certified claw-free trapdoor permutations
instantiation from RSA requires e > N
→ verification = signing = n full-length exps
Weak key setup model (LOSSW)
plain public-key vs. knowledge of secret key (KOSK)
![Page 8: Efficient Sequential Aggregate Signed Data](https://reader035.fdocument.org/reader035/viewer/2022070413/56814c1e550346895db91fb9/html5/thumbnails/8.jpg)
8
cert1 ← Sign(sk1, ID2||pk2)
cert2 ← Sign(sk2, IDU||pk, cert1)
cert1
cert2
σ ← Sign(sk, M, cert2)
1
2
U
Drawbacks of existing schemes Security parameter flexibility (BGLS, LMRS, LOSSW)
e.g. certificate chains
BGLS, LOSSW: no flexibility whatsoever LMRS: increasing modulus size only
→ exact opposite of what we need No (S)AS schemes for currently existing keys/certificates!
secu
rity
leve
l
![Page 9: Efficient Sequential Aggregate Signed Data](https://reader035.fdocument.org/reader035/viewer/2022070413/56814c1e550346895db91fb9/html5/thumbnails/9.jpg)
9
Our contributions
Generalization of SAS to SASD
SASD scheme with instantations from low-exponent RSA and factoring efficient signing (1 exp + O(n) mult) and
verification (O(n) mult) full flexibility in modulus size compatible with existing RSA/Rabin keys and certificates
Pure SAS scheme with same properties
Generalization of multi-signatures to multi-signed data (MSD) Non-interactive MSD scheme from RSA and factoring
(no pairings)
![Page 10: Efficient Sequential Aggregate Signed Data](https://reader035.fdocument.org/reader035/viewer/2022070413/56814c1e550346895db91fb9/html5/thumbnails/10.jpg)
10
Sequential aggregate signatures
σ1 ← Sign(sk1,M1)
… σ2 ← Sign(sk2,M2,σ1)
σ1
σn-1
σ = σn ← Sign(skn,Mn,σn-1)
Goal: |σ| < |σ1| + … + |σn|
(pk1,…,pkn),M1,…,Mn, σ
0/1 ← Verify(pk,M,σ)
[LMRS04]
![Page 11: Efficient Sequential Aggregate Signed Data](https://reader035.fdocument.org/reader035/viewer/2022070413/56814c1e550346895db91fb9/html5/thumbnails/11.jpg)
11
Sequential aggregate signed data (SASD)
Σ1 ← Sign(sk1,M1)
…
Σ
(pk,M)/ ← Verify(Σ)
Σ2 ← Sign(sk2,M2,Σ1)
Σ1
Σn-1
Σ = Σn ← Sign(skn,Mn,Σn-1)
Goal: minimize “net overhead” |Σ| – |M1| – … – |Mn|
┴
![Page 12: Efficient Sequential Aggregate Signed Data](https://reader035.fdocument.org/reader035/viewer/2022070413/56814c1e550346895db91fb9/html5/thumbnails/12.jpg)
12
SASD scheme intuition
Step 1. Full-domain hash with message recovery
Trapdoor permutation π, message M = m||µ
H
G
=
π -1
net overhead ≈ 160 bits
m µ
X hm
=
=Σ
M
![Page 13: Efficient Sequential Aggregate Signed Data](https://reader035.fdocument.org/reader035/viewer/2022070413/56814c1e550346895db91fb9/html5/thumbnails/13.jpg)
13
SASD scheme intuition
m µ
X h
Step 1. Full-domain hash with message recovery
Trapdoor permutation π, message M = m||µ
H
G
m
π
net overhead ≈ 160 bits
=?
=
=Σ
M
![Page 14: Efficient Sequential Aggregate Signed Data](https://reader035.fdocument.org/reader035/viewer/2022070413/56814c1e550346895db91fb9/html5/thumbnails/14.jpg)
14
SASD scheme intuition
m1 µ1
X1 h1
H
G
=
m1=
-1π
m2 µ2
X2 h2
H
G
m2
-1π
net overhead ≈ 2×160 = 320 bits
Step 2. Aggregating the hashes
Σ1
M1
=
=Σ2
M2
1
2
![Page 15: Efficient Sequential Aggregate Signed Data](https://reader035.fdocument.org/reader035/viewer/2022070413/56814c1e550346895db91fb9/html5/thumbnails/15.jpg)
15
SASD scheme intuition
m1 µ1
G-1π
m2 µ2
G-1π
net overhead ≈ 160 bits
H
H
Step 2. Aggregating the hashes (intuition only – insecure!)
X1 h1
=
m1=
X2 h2m2
Σ1
M1
=
=Σ2
M2
1
2
![Page 16: Efficient Sequential Aggregate Signed Data](https://reader035.fdocument.org/reader035/viewer/2022070413/56814c1e550346895db91fb9/html5/thumbnails/16.jpg)
16
SASD scheme intuition
m1 µ1
G
π
m2 µ2
G
π
net overhead ≈ 160 bits
=?
H
H
Step 2. Aggregating the hashes (intuition only – insecure!)
X1 h1
=
m1=
X2 h2m2
Σ1
M1
=
=Σ2
M2
1
2
![Page 17: Efficient Sequential Aggregate Signed Data](https://reader035.fdocument.org/reader035/viewer/2022070413/56814c1e550346895db91fb9/html5/thumbnails/17.jpg)
17
SASD scheme intuition
m1 µ1
X1 h1
Step 3. Recovering any type of data (intuition only – insecure!)
G
=
m1=
-1π
M2
X2 h2
G
M2
-1π
net overhead ≈ 160 bits
H
H
X1
=
=Σ1
M1
=Σ2
1
2
![Page 18: Efficient Sequential Aggregate Signed Data](https://reader035.fdocument.org/reader035/viewer/2022070413/56814c1e550346895db91fb9/html5/thumbnails/18.jpg)
18
The SASD scheme
Step 4. Getting the details right: see paper.
Theorem. If there exists a forger that (t,qS,qH,qG,n,ε)-breaks SASD in the random oracle model, then there exists an algorithm that (t’,ε’)-finds a claw in Π, where
πmaxSmaxH
L
2SmaxGH
S
tn)1q(n2q)2d/1(t't
2
))1q(n2qq(4
)1q(e
ε'ε
![Page 19: Efficient Sequential Aggregate Signed Data](https://reader035.fdocument.org/reader035/viewer/2022070413/56814c1e550346895db91fb9/html5/thumbnails/19.jpg)
19
Comparison of SAS(D) schemes
Scheme Based onOverhead
(– |pk|)Sign Verify
BGLS pairings 160 1 E n P
LOSSW pairings 320 2 P + 160n M 2 P + 160n M
LMRS RSA 1024 n E n E
SASDRSA,
factoring160…1184 1 E + 2n M 2n M
SASRSA,
factoring1184 1 E + 2n M 2n M
P = pairing E = exponentiation M = multiplication
n = #signatures in aggregate
![Page 20: Efficient Sequential Aggregate Signed Data](https://reader035.fdocument.org/reader035/viewer/2022070413/56814c1e550346895db91fb9/html5/thumbnails/20.jpg)
20
Non-interactive multi-signatures (MS)
Sign(sk1,M)
Sign(skn,M)
…(pk1,…,pkn), M, σ
Σ ← Agg(σ1,…, σn)
Goal: |σ| < |σ1| + … + |σn|
n signatures on same message M
σ1
σn0/1 ← Verify(pk,M,σ)
![Page 21: Efficient Sequential Aggregate Signed Data](https://reader035.fdocument.org/reader035/viewer/2022070413/56814c1e550346895db91fb9/html5/thumbnails/21.jpg)
21
Non-interactive multi-signed data (MSD)
Sign(sk1,M)
Sign(skn,M)
…Σ
Σ ← Agg(Σ1,…, Σn)
Goal: minimize “net overhead” |Σ| – |M|
n signatures on same message M
Σ1
Σn(pk,M)/ ← Verify(Σ)┴
![Page 22: Efficient Sequential Aggregate Signed Data](https://reader035.fdocument.org/reader035/viewer/2022070413/56814c1e550346895db91fb9/html5/thumbnails/22.jpg)
22
MSD scheme
m1 µ1
h
H
G
=
-1π
Each partial signature contains part of M
M m2 m3µ2 µ3 m4
G-1π
G-1π
m1 Σ1=Σ m2 m3Σ2 Σ3 m4
net overhead ≈ 160 bits
Who takes which part of M? Fully non-interactive: pos = hash(πi,M)
Known co-signers: fixed (e.g. lexicographic) order
1
2
3
![Page 23: Efficient Sequential Aggregate Signed Data](https://reader035.fdocument.org/reader035/viewer/2022070413/56814c1e550346895db91fb9/html5/thumbnails/23.jpg)
23
Comparison of MS(D) schemes
Scheme Based onOverhead
(– |pk|)Sign Verify
Bol pairings 160 1 E 2 P + n M
LOSSW pairings 320 2 E + 160 M2 P +
(160+n) M
MSDRSA,
factoring160 …
1024n + 1601 E + 2n M 2n M
P = pairing E = exponentiation M = multiplication
n = #signatures in aggregate
![Page 24: Efficient Sequential Aggregate Signed Data](https://reader035.fdocument.org/reader035/viewer/2022070413/56814c1e550346895db91fb9/html5/thumbnails/24.jpg)
24
Closing remarks
In summary: propose SAS, SASD, MSD schemes first based on low-exponent RSA and factoring outperform existing schemes in many respects free choice of modulus size work with existing RSA/Rabin keys
Tight reduction using Katz-Wang, or next talk
Full version: ePrint Report 2008/063