Upload
dennis-davis
View
217
Download
0
Embed Size (px)
Citation preview
Efficient Sequential Aggregate Signed Data
Gregory Neven
IBM Zurich Research Laboratory
work done while at K.U.Leuven
2
Digital signatures
(pk),M,σσ ← Sign(sk,M)
0/1 ← Verify(pk,M,σ)
(pk,sk) ← KeyGen()
3
Digital signatures
…
(pk1,…,pkn),M1,…,Mn, σ1,…, σn
σ1 ← Sign(sk1,M1)
σn ← Sign(skn,Mn)
σ1
σni : 0/1 ← Verify(pki,Mi,σi)
A
4
Aggregate signatures (AS)
…
(pk1,…,pkn),M1,…,Mn, σ
σ1 ← Sign(sk1,M1)
σn ← Sign(skn,Mn)
σ1
σnσ ← Agg(σ1,…,σn)
Goal: |σ| < |σ1| + … + |σn| , preferably constant
Motivation: certificate chainssecure routing protocolssave bandwidth (= battery life) for wireless devices
0/1 ← Verify(pk,M,σ)
[BGLS03]
5
Sequential aggregate signatures (SAS)
σ1 ← Sign(sk1,M1)
…
(pk1,…,pkn),M1,…,Mn, σ
σ2 ← Sign(sk2,M2,σ1)
σ1
σn-1
σ = σn ← Sign(skn,Mn,σn-1)
Goal: |σ| < |σ1| + … + |σn| , preferably constant
Motivation: certificate chainssecure routing protocolssave bandwidth (= battery life) for wireless devices
0/1 ← Verify(pk,M,σ)
[LMRS04]
6
Existing (S)AS schemes
Scheme Type Based on Key model RO
BGLS AS pairings plain Y
LMRS SAS RSA plain Y
LOSSW SAS pairings KoSK N
7
Drawbacks of existing schemes Current drawbacks of pairings (BGLS, LOSSW)
trust in assumptions vs. factoring, RSA no standardization implementations
Rather inefficient verification (BGLS, LMRS) BGLS: n pairings LMRS: certified claw-free trapdoor permutations
instantiation from RSA requires e > N
→ verification = signing = n full-length exps
Weak key setup model (LOSSW)
plain public-key vs. knowledge of secret key (KOSK)
8
cert1 ← Sign(sk1, ID2||pk2)
cert2 ← Sign(sk2, IDU||pk, cert1)
cert1
cert2
σ ← Sign(sk, M, cert2)
1
2
U
Drawbacks of existing schemes Security parameter flexibility (BGLS, LMRS, LOSSW)
e.g. certificate chains
BGLS, LOSSW: no flexibility whatsoever LMRS: increasing modulus size only
→ exact opposite of what we need No (S)AS schemes for currently existing keys/certificates!
secu
rity
leve
l
9
Our contributions
Generalization of SAS to SASD
SASD scheme with instantations from low-exponent RSA and factoring efficient signing (1 exp + O(n) mult) and
verification (O(n) mult) full flexibility in modulus size compatible with existing RSA/Rabin keys and certificates
Pure SAS scheme with same properties
Generalization of multi-signatures to multi-signed data (MSD) Non-interactive MSD scheme from RSA and factoring
(no pairings)
10
Sequential aggregate signatures
σ1 ← Sign(sk1,M1)
… σ2 ← Sign(sk2,M2,σ1)
σ1
σn-1
σ = σn ← Sign(skn,Mn,σn-1)
Goal: |σ| < |σ1| + … + |σn|
(pk1,…,pkn),M1,…,Mn, σ
0/1 ← Verify(pk,M,σ)
[LMRS04]
11
Sequential aggregate signed data (SASD)
Σ1 ← Sign(sk1,M1)
…
Σ
(pk,M)/ ← Verify(Σ)
Σ2 ← Sign(sk2,M2,Σ1)
Σ1
Σn-1
Σ = Σn ← Sign(skn,Mn,Σn-1)
Goal: minimize “net overhead” |Σ| – |M1| – … – |Mn|
┴
12
SASD scheme intuition
Step 1. Full-domain hash with message recovery
Trapdoor permutation π, message M = m||µ
H
G
=
π -1
net overhead ≈ 160 bits
m µ
X hm
=
=Σ
M
13
SASD scheme intuition
m µ
X h
Step 1. Full-domain hash with message recovery
Trapdoor permutation π, message M = m||µ
H
G
m
π
net overhead ≈ 160 bits
=?
=
=Σ
M
14
SASD scheme intuition
m1 µ1
X1 h1
H
G
=
m1=
-1π
m2 µ2
X2 h2
H
G
m2
-1π
net overhead ≈ 2×160 = 320 bits
Step 2. Aggregating the hashes
Σ1
M1
=
=Σ2
M2
1
2
15
SASD scheme intuition
m1 µ1
G-1π
m2 µ2
G-1π
net overhead ≈ 160 bits
H
H
Step 2. Aggregating the hashes (intuition only – insecure!)
X1 h1
=
m1=
X2 h2m2
Σ1
M1
=
=Σ2
M2
1
2
16
SASD scheme intuition
m1 µ1
G
π
m2 µ2
G
π
net overhead ≈ 160 bits
=?
H
H
Step 2. Aggregating the hashes (intuition only – insecure!)
X1 h1
=
m1=
X2 h2m2
Σ1
M1
=
=Σ2
M2
1
2
17
SASD scheme intuition
m1 µ1
X1 h1
Step 3. Recovering any type of data (intuition only – insecure!)
G
=
m1=
-1π
M2
X2 h2
G
M2
-1π
net overhead ≈ 160 bits
H
H
X1
=
=Σ1
M1
=Σ2
1
2
18
The SASD scheme
Step 4. Getting the details right: see paper.
Theorem. If there exists a forger that (t,qS,qH,qG,n,ε)-breaks SASD in the random oracle model, then there exists an algorithm that (t’,ε’)-finds a claw in Π, where
πmaxSmaxH
L
2SmaxGH
S
tn)1q(n2q)2d/1(t't
2
))1q(n2qq(4
)1q(e
ε'ε
19
Comparison of SAS(D) schemes
Scheme Based onOverhead
(– |pk|)Sign Verify
BGLS pairings 160 1 E n P
LOSSW pairings 320 2 P + 160n M 2 P + 160n M
LMRS RSA 1024 n E n E
SASDRSA,
factoring160…1184 1 E + 2n M 2n M
SASRSA,
factoring1184 1 E + 2n M 2n M
P = pairing E = exponentiation M = multiplication
n = #signatures in aggregate
20
Non-interactive multi-signatures (MS)
Sign(sk1,M)
Sign(skn,M)
…(pk1,…,pkn), M, σ
Σ ← Agg(σ1,…, σn)
Goal: |σ| < |σ1| + … + |σn|
n signatures on same message M
σ1
σn0/1 ← Verify(pk,M,σ)
21
Non-interactive multi-signed data (MSD)
Sign(sk1,M)
Sign(skn,M)
…Σ
Σ ← Agg(Σ1,…, Σn)
Goal: minimize “net overhead” |Σ| – |M|
n signatures on same message M
Σ1
Σn(pk,M)/ ← Verify(Σ)┴
22
MSD scheme
m1 µ1
h
H
G
=
-1π
Each partial signature contains part of M
M m2 m3µ2 µ3 m4
G-1π
G-1π
m1 Σ1=Σ m2 m3Σ2 Σ3 m4
net overhead ≈ 160 bits
Who takes which part of M? Fully non-interactive: pos = hash(πi,M)
Known co-signers: fixed (e.g. lexicographic) order
1
2
3
23
Comparison of MS(D) schemes
Scheme Based onOverhead
(– |pk|)Sign Verify
Bol pairings 160 1 E 2 P + n M
LOSSW pairings 320 2 E + 160 M2 P +
(160+n) M
MSDRSA,
factoring160 …
1024n + 1601 E + 2n M 2n M
P = pairing E = exponentiation M = multiplication
n = #signatures in aggregate
24
Closing remarks
In summary: propose SAS, SASD, MSD schemes first based on low-exponent RSA and factoring outperform existing schemes in many respects free choice of modulus size work with existing RSA/Rabin keys
Tight reduction using Katz-Wang, or next talk
Full version: ePrint Report 2008/063