Transitive Signatures based on Factoring and RSA
Mihir Bellare (University of California, San Diego, USA)
Gregory Neven (Katholieke Universiteit Leuven, Belgium)
2
Standard digital signatures
M
SSignssk
σM
SVf
σ’
spkaccept /reject
SKG (spk,ssk)1k
3
σ2,3
3
σi,ji,j
Transitive signatures [MR02] Message is pair of nodes i,j
Signing i,j = creating and authenticating edge {i,j}
An authenticated graph grows with time
σ1,2
σ1,21,2
1
2
i,j
TSigntsk
TVf
σ’i,j
tpk
TKG (tpk,tsk)1k
accept /reject
σ2,32,3
σ4,54 5
σ4,54,5
4
Transitive signatures [MR02]
Compi,j,k
σi,j
σi,k
tpk
σj,k
Additional composition algorithm
1
2σ1,2
3
σ2,3
4 5σ4,5
Authenticated graph is transitive closure of directly signed edges
1,2,3
σ1,2
σ2,3
σ1,3σ1,3
i,j
TSigntsk
σi,ji,j
TVf
σ’i,j
tpkaccept /reject
TKG (tpk,tsk)1k
5
Security of transitive signatures Standard security definition of [GMR] doesn’t apply:
composition allows forgery to some extent
New security goal [MR02]: computationally infeasible to forge signatures not in transitive
closure of the edges signed directly by the signer even under “chosen-edge” attack
F
tpk
{1,4}, σ1,4
σ1,4
σ1,3
σ1,2 σ2,3
σ4,5
1
2
3
4 5
σ1,2,σ2,3,σ4,5
1,2 ║ 2,3 ║ 4,5TSigntsk(·,·)2,3
σ2,3
1,2
σ1,2
4,5
σ4,5
TSigntsk(·,·)
6
Why transitive signatures?
Applications? Micali and Rivest suggest military chain-of-command (directed) administrative domains (undirected)
Compelling application yet to be found
But a cool concept!
7
σ1,2
1,y1 2,y2 signature σ1,2 = ( , , δ1,2)
RSATS-1: RSA based scheme [MR02]
tpk = (spk, N, e)
tsk = ssk
Assume standard signature scheme with key pair (spk,ssk) message M signed under sskM
1
2
3Signer assigns to each node i:
← Z*RN
x1
x2
x3 secret label xi,y1
,y2
,y3
public label yi ← xie mod N
i,yi node certificate
1,y1
2,y2
3,y3
To sign edge {1,2}:
edge label δ1,2 ← x1·x2-1 mod N
Verification of ( , , δ1,2):1,y1 2,y2
check node certificates
check δ1,2 = y1·y2-1 mod Ne
8
Composition in RSATS-1
To compose signatures σ1,2 and σ2,3:
σ1,2 = ( , , δ1,2)
where δ1,2 = x1·x2-1 mod N
1,y1
σ2,3 = ( , , δ2,3)
where δ2,3 = x2·x3-1 mod N
2,y2 3,y3
δ1,2·δ2,3 mod N
= (x1·x2-1)(x2·x3
-1) mod N
= x1·x3-1 mod N
2,y2
1,y1 3,y3
xi are kept in signer’s state
σ1,3 = ( , , δ1,3)
where δ1,3 =
σ1,3
1
2
3
x1
x2
x3,y1
,y2
,y31,y1 3,y3
σ1,2 σ2,3
2,y2
9
Non-adaptive security of RSATS-1
RSATS-1 can be proven transitively secure against forgery under non-adaptive chosen-edge attack if
RSA is one-way underlying standard signature scheme is secure under chosen-
message attack
Is RSATS-1 secure under adaptive attack? Neither proof nor attack known Might rely on stronger properties of RSA than one-wayness We consider security under one-more inversion [BNPS01]
10
RSA under one-more inversion
A
A is successful iff xi
e = yi mod N for i=1..m
n < m
x1,…,xm
N,e
y1 ChallR Z*Nyi
ym
…
RSA-1N,e(·)
z1d mod N
z1
znd mod N
zn
…
Assumption:
this problem is hard [BNPS01]
Used before by [BNPS01] to prove security
of Chaum’s blind signatures by [BP02] to prove security of
GQ identification scheme
11
Adaptive security of RSATS-1
Theorem: RSATS-1 is transitively secure against forgery under adaptive chosen-message attack if
the one-more RSA-inversion problem is hard the underlying standard signature scheme is secure under
chosen-message attack.
12
{1,2}
δ1,2
y1y2-1
Proof idea for RSATS-1
A
Chall
F
N,e
RSA-1σ1,2
σ1,2
σ1,4
σ1,4
n1 nodes n2 nodes
n1-1 queries n2-1 queriesx2 ← δ2,3·x3
x1 ← δ1,2·x2
If A would know x3: (remember δi,j=xi·xj-1)
(n1-1)+(n2-1)+1
= n1+n2-1 queries < n1+n2 decrypted challenges
(spk,N,e)
{2,3}
δ2,3
y2y3-1
σ2,3
σ2,3
{1,3}σ1,3
σ1,3
x1,…,x6
y1
x1
σ5,6
σ4,6
yi
y1
y2
y3
y4
y5
y61
2
3
4
5
6
13
σ1,3 = ( , , δ1,3) with δ1,3 = δ1,2·δ2,3 mod N1,y1 3,y3
σ1,3
Composition of σ1,2 and σ2,3:
σ2,3
FBTS-1: Factoring based schemetpk = (spk, N); tsk = ssk
,y1
,y2
,y3
public label yi ← xi2 mod N
i,yi node certificate 1,y1
2,y2
3,y3
σ1,2
Signature σ1,2 = ( , , δ1,2) with δ1,2 = x1·x2-1 mod N1,y1 2,y2
Verification of σ1,2 :
check signatures on , check δ1,2 = y1·y2
-1 mod N
1,y1 2,y2
2
← Z*RN
x1
x2
x3
secret label xi
1
2
3
Signer assigns to each node i:
14
Security of FBTS-1
Theorem: FBTS-1 is transitively secure against forgery under adaptive chosen-message attack if
factoring N is hard the underlying standard signature scheme is secure under
chosen-message attack.
Proof idea: with probability 1/2, forgery gives second square root signatures might leak information about known root
→ information-theoretic lemma needed
15
Node certification paradigm
For each node i, the signer:
x1
x2
x3
chooses secret label xiσ2,3
σ1,3
Composition of σ1,2 and σ2,3:
σ1,3 = ( , , δ1,3)
where δ1,3 = h(δ1,2,δ2,3)
1,y1 3,y3
δi,j·δj,k mod N
δi,j·δj,k mod N
h(δi,j,δj,k)
σ1,2
Signature σ1,2 = ( , , δ1,2)
where δ1,2 = g(x1,x2)
1,y1 2,y2
xi·xj-1 mod N
xi·xj-1 mod N
g(xi,xj)
,y1
,y2
,y3
computes public label yi = f(xi)
xi2 mod NFBTS-1
xie mod NRSATS-1
f(xi)Scheme
1,y1 3,y3
2,y2
creates node certificate i,yi 1
2
3
16
Eliminating node certificates
σ2,3
σ1,3
Composition of σ1,2 and σ2,3:
σ1,3 = δ1,3 where δ1,3 = g(δ1,2, δ2,3)
σ1,2
Signature σ1,2 = δ1,2
where δ1,2 = f(x1,x2)
Let Htpk be a public hash function
RSATS-1 and FBTS-1, but not MRTS
,x1
,x2
,x3
secret label xi ← “inversion” of yi
(using trapdoor information in tsk)
y1=Htpk(1)
y2=Htpk(2)
y3=Htpk(3)
public label yi ← Htpk(i)
For each node i, signer lets:
1
2
3
17
RSATS-2 and FBTS-2
RSATS-2: Straightforward application of this idea to RSATS-1
Theorem: RSATS-2 is transitively secure against forgery under adaptive chosen-message attack if
the one-more RSA-inversion problem is hard HN: {0,1}*→ZN is a random oracle.*
*
FBTS-2: Modifications needed because public labels have to be squares mod N
Theorem: FBTS-2 is transitively secure against forgery under adaptive chosen-message attack if
factoring N is hard HN: {0,1}*→ZN[+1] is a random oracle.
18
Previously known schemes
O(path length)YesStandard signaturesTrivial
Signature sizeAd.?Security assumptionScheme
2 stand. sigs2 points in G2 points in Zq
YesDiscrete logarithmsStandard signatures
MRTS
2 stand. sigs3 points in
NoOne-wayness of RSAStandard signatures
RSATS-1Z*N
19
Scheme contributions
2 stand. sigs3 points in
NoOne-wayness of RSAStandard sigs
RSATS-1
2 stand. sigs2 points in G2 points in Zq
YesDiscrete logarithmsStandard signatures
MRTS
O(path length)YesStandard signaturesTrivial
Signature sizeAd.?Security assumptionScheme
Z*N
2 stand sigs3 points in
YesOne-more RSAStandard signatures
RSATS-1Z*N
2 stand sigs3 points in
YesFactoringStandard signatures
FBTS-1Z*N
No
No
No
RO?
No
No
1 point in YesYesOne-more RSARSATS-2 Z*N
1 point in YesYesFactoringFBTS-2 Z*N
Questions?
Top Related