Trapdoor Permutation-Based Sequential Aggregate Signatures Framework

a unified framework for trapdoor permutation n.w
1 / 40
Embed
Share

Explore a unified framework for trapdoor permutation-based sequential aggregate signatures with applications in internet routing protocols like Border Gateway Protocol (BGP). Learn about the motivation, security definitions, and prior constructions in this innovative field. Discover how sequential aggregate signatures simplify signature chains and enhance space efficiency while ensuring security against adversarial signers.

  • Permutation
  • Aggregate Signatures
  • Security
  • BGP
  • Framework
rayaanacharya
jveron Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. A Unified Framework for Trapdoor-Permutation-Based Sequential Aggregate Signatures Craig Gentry Adam O Neill Leonid Reyzin IBM Georgetown U. Boston U. 1

  2. Motivating Example: Border Gateway Protocol (BGP) Q: How do you get from here to there on the internet? A: BGP [Rekhter, Lougheed, Li, Hares] Idea: utilize local knowledge Each autonomous system (AS) knows Each AS knows its connections (customer-provider, peer) Each AS can talk to its neighbors what IP addresses it owns 2

  3. Border Gateway Protocol (BGP) Dear AT&T: to get to 107.20.211.* come to Georgetown AT&T Georgetown U (owns 107.20.211.*) Georgetown Dear Comcast: to get to 107.20.211.*, you can go AT&T Georgetown Dear Boston U: to get to 107.20.211.* , you can go Comcast AT&T Georgetown Georgetown AT&T Comcast Georgetown AT&T Boston U Comcast S-BGP [Kent-Lynn-Seo 2000]: Same but with signatures 3

  4. Sequential Aggregate Signatures (SAS) S-BGP requires possibly long signature chains Q: Can we compress multiple signatures to save space? A: Sequential Aggregate Signatures (SAS) [Lysyanskaya Micali Reyzin Shacham 04]: Signer 1 Signer 3 Signer 2 m2, 2 m1, 1 m3, 3 i attests to m1 m2 mi on behalf of PK1 PK2 PKi Several prior TDP-based constructions Note: [Boneh Gentry Lynn Shacham 2003] allow non-sequential (even third-party) aggregation post signing, but based on pairings This work: understanding + improving TDP-based Sequential Aggregate Signatures 4

  5. Outline Sequential Aggregate Signatures (SAS) Security Definition Prior Constructions [LMRS] [Neven] Our General Construction History-free variants 5

  6. SAS Security Signer 1 Signer 3 Signer 2 m2, 2 m1, 1 m3, 3 i attests to m1 m2 mi on behalf of PK1 PK2 PKi Equivalent to what you get from simply concatenating individual signatures, without any aggregation Adversary model: arbitrary subset of adversarial signers 6

  7. SAS Security Signer 1 Signer 3 Signer 2 m2, 2 m1, 1 m3, 3 i attests to m1 m2 mi on behalf of PK1 PK2 PKi Equivalent to what you get from simply concatenating individual signatures, without any aggregation Adversary model: arbitrary subset of adversarial signers 7

  8. SAS Security Signer 1 Signer 3 Signer 2 m2, 2 m1, 1 m3, 3 i attests to m1 m2 mi on behalf of PK1 PK2 PKi Equivalent to what you get from simply concatenating individual signatures, without any aggregation Adversary model: arbitrary subset of adversarial signers Chosen Message-and-Aggregate-so-Far attack 8

  9. SAS Security Signer 1 Signer 3 Signer 2 m2, 2 m1, 1 m3, 3 i attests to m1 m2 mi on behalf of PK1 PK2 PKi Equivalent to what you get from simply concatenating individual signatures, without any aggregation Adversary model: arbitrary subset of adversarial signers Chosen Message-and-Aggregate-so-Far attack 9

  10. SAS Security Signer 1 Signer 3 Signer 2 m2, 2 m1, 1 m3, 3 i attests to m1 m2 mi on behalf of PK1 PK2 PKi Equivalent to what you get from simply concatenating individual signatures, without any aggregation Adversary model: arbitrary subset of adversarial signers Chosen Message-and-Aggregate-so-Far attack Even after such an attack, adversary can t frame the honest parties Adversary can t output any (m1, m2, m3, 3) that verifies as long as Signer 2 never signed m2* * * * * 10

  11. Outline Sequential Aggregate Signatures (SAS) Security Definition Prior Constructions [LMRS] [Neven] Our General Construction History-free variants 11

  12. Review: Full-Domain Hash Signatures [Bellare-Rogaway 93] Trapdoor permutation public key PK=f, secret key SK=f 1 Hash (random oracle) function H (output range equals domain of f ) Steps of the Signer: y= H (m) y x= f 1 ( y) x m H f 1 Steps of the Verifier: y= H (m) ? ? = y y= f( x) x m H f 12

  13. LMRS Aggregate Signature Scheme [Lysyanskaya-Micali-R-Shacham 04] Steps of Signer 2: Check that PK1= f1 specifies a permutation Verify x1 using PK1,m1 y1 PK1 x1 Signer 1: f 1 1 H m1 g2 = H (PK1, PK2, m1, m2) y2 = g2 x1 g2 y2 PK1, PK2 x2 f 1 2 H m1, m2 x2= f 1 ( y2) 2 g3 y3 PK1, PK2, PK3 x3 f 1 3 H m1, m2, m3 Steps of Signer 3: Check that PK1= f1, PK2 = f2 specify permutations Verify x2 using PK1, PK2, m1, m2 13

  14. LMRS Aggregate Signature Scheme [Lysyanskaya-Micali-R-Shacham 04] Steps of Signer 2: Check that PK1= f1 specifies a permutation Verify x1 using PK1,m1 g2 = H (PK1, PK2, m1, m2) y2 = g2 x1 getting certified TDPs takes work: for RSA, either extra proofs [Goldberg-Reyzin-Sagga-Baldimtsi 18] [Auerbach-Poettering 18] or long verification exponents x2= f 1 ( y2) 2 Steps of Signer 3: Check that PK1= f1, PK2 = f2 specify permutations Verify x2 using PK1, PK2, m1, m2 14

  15. LMRS Aggregate Signature Scheme [Lysyanskaya-Micali-R-Shacham 04] Steps of Signer 2: Check that PK1= f1 specifies a permutation Verify x1 using PK1,m1 y1 PK1 x1 f 1 1 H m1 g2 = H (PK1, PK2, m1, m2) y2 = g2 x1 g2 y2 PK1, PK2 x2 f 1 2 H m1, m2 x2= f 1 ( y2) 2 g3 y3 PK1, PK2, PK3 x3 f 1 3 H m1, m2, m3 Steps of Signer 3: Check that PK1= f1, PK2 = f2 specify permutations Verify x2 using PK1, PK2, m1, m2 15

  16. LMRS Aggregate Signature Scheme [Lysyanskaya-Micali-R-Shacham 04] Q: What happens if f1is not a permutation? A: Adversary can control input to f2 and thus attack signer 2! Q: What happens if f1is an adversarial permutation? Q: Verify-before-sign means adversary has no control over x1 y1 PK1 x1 f 1 1 H m1 g2 y2 PK1, PK2 x2 f 1 2 H m1, m2 g3 y3 PK1, PK2, PK3 x3 f 1 3 H m1, m2, m3 16

  17. LMRS Verification Verifier knows: last signature x3, messages m1,m2,m3 public keys PK1=f1, PK2=f2, PK3=f3 =? g1 y1 PK1 x1 f1 H m1 g2 y2 PK1, PK2 x2 f2 H m1, m2 g3 y3 PK1, PK2, PK3 x3 f3 H m1, m2, m3 To sum up: scheme works because can be undone, but requires certified trapdoor permutations 17

  18. Outline Sequential Aggregate Signatures (SAS) Security Definition Prior Constructions [LMRS]: requires certified TDPs [Neven]: works even adversary gives nonpermutations! Our General Construction History-free variants 18

  19. [Neven08] Aggregate Signature Scheme Hash function H (short outputs), G (full domain outputs) Signature has two components: (x, h) y1 PK1 x1 Steps of Signer 1: G H f 1 1 m1 h1 19

  20. [Neven08] Aggregate Signature Scheme Hash function H (short outputs), G (full domain outputs) Signature has two components: (x, h) First, verify(x1, h1) using PK1,m1 Steps of Signer 2: 2 = H (PK1, PK2, x1, m1, m2) h2= 2 h1 y2 = G(h2) x1 x2= f 1(y2) 2 y1 PK1 x1 G H f 1 1 m1 h1 PK1,PK2 2 y2 m1, m2 x2 f 1 2 G H h2 3 y3 PK1, PK2, PK3 x3 f 1 3 G H m1, m2, m3 h3 First, verify(x2, h2) using PK1, PK2, m1, m2 Steps of Signer 3: 20

  21. [Neven08] Aggregate Signature Scheme Hash function H (short outputs), G (full domain outputs) Signature has two components: (x, h) y1 ? PK1 x1 G H f 1 1 m1 h1 PK1,PK2 2 y2 m1, m2 x2 f 1 2 G H h2 3 y3 PK1, PK2, PK3 x3 f 1 3 G H m1, m2, m3 h3 Q: How do even verify? 21

  22. [Neven08] Aggregate Signature Scheme Hash function H (short outputs), G (full domain outputs) Signature has two components: (x, h) The transformation from (x2, h2) to (y3, h3) is invertible! x2 = G(h3) y3 x2 h2 3 y3 G H h3 22

  23. [Neven08] Aggregate Signature Scheme Hash function H (short outputs), G (full domain outputs) Signature has two components: (x, h) The transformation from (x2, h2) to (y3, h3) is invertible! x2 = G(h3) y3 h2 = H(x2) h3 x2 h2 3 y3 G H h3 23

  24. [Neven08] Aggregate Signature Scheme Hash function H (short outputs), G (full domain outputs) Signature has two components: (x, h) The transformation from (x2, h2) to (y3, h3) is invertible! x2 = G(h3) y3 h2 = H(x2) h3 x2 h2 3 y3 G H h3 24

  25. [Neven08] Aggregate Signature Scheme Hash function H (short outputs), G (full domain outputs) Signature has two components: (x, h) The transformation from (x2, h2) to (y3, h3) is invertible! x2 = G(h3) y3 h2 = H(x2) h3 So verifier can compute y3=f3(x3), get to (x2, h2), and repeat This is just 2 rounds of (unbalanced) Feistel x2 h2 3 y3 x3 f3 G H h3 25

  26. [Neven08] Aggregate Signature Scheme Hash function H (short outputs), G (full domain outputs) Signature has two components: (x, h) y1 ? PK1 x1 G H f 1 1 m1 h1 PK1,PK2 2 y2 m1, m2 x2 f 1 2 G H h2 3 y3 PK1, PK2, PK3 x3 f 1 3 G H m1, m2, m3 h3 Q: Why no certified TDP? What if f1 is not a TDP? A: Adversary can t control y2, because now x1 gets hashed before 26

  27. Outline Sequential Aggregate Signatures (SAS) Security Definition Prior Constructions [LMRS]: requires certified TDPs [Neven]: works even adversary gives nonpermutations! Our General Construction History-free variants 27

  28. Our Aggregate Signature Scheme x1 PK1, PK2 LMRS: (certified TDPs) x2 f 1 2 H m1, m2 x1 h1 PK1,PK2 y2 2 Neven: m1, m2 x2 f 1 2 G H h2 x1 y2 x2 ? 1 f 1 2 This Work: ?is an ideal cipher (keyed public random permutation, like AES) ?can t be AES, because need bigger domain (at least for f = RSA) But: ?can be built from random oracle via 8-round Feistel K=(PK1, PK2, m1, m2) [Coron, Holenstein, K nzler, Patarin, Seurin,Tessaro; Dachman-Soled, Katz, Thiruvengadam; Dai-Steinberger 16] 28

  29. Our Aggregate Signature Scheme x1 PK1, PK2 LMRS: (certified TDPs) x2 f 1 2 H m1, m2 x1 h1 PK1,PK2 y2 2 Neven: m1, m2 x2 f 1 2 G H h2 x1 y2 x2 ? 1 f 1 2 This Work: K=(PK1, PK2, m1, m2) - Simpler and easier to analyze (proofs in the paper) - Doesn t require certified TDPs (same as Neven) - Aggregate signature has only one component (shorter than Neven if you believe in ideal ciphers) 29

  30. Outline Sequential Aggregate Signatures (SAS) Security Definition Prior Constructions [LMRS]: requires certified TDPs [Neven]: works even adversary gives nonpermutations! Our General Construction History-free variants 30

  31. Why History-Free? LMRS, Neven, and our scheme: all require verify-before-sign Devastating attack if you use your f 1 before verifying what you put into it!

  32. Why History-Free? x1 y2 x2 ? 1 f 1 2 K=(PK1, PK2, m1, m2) LMRS, Neven, and our scheme: all require verify-before-sign Devastating attack if you use your f 1 before verifying what you put into it! (Chosen-aggregate attack using a bogus x1 to get a y2 collision)

  33. Why History-Free? LMRS, Neven, and our scheme: all require verify-before-sign Devastating attack if you use your f 1 before verifying what you put into it! m1 Georgetown Problem with verify-before-sign: m2Georgeto Verification requires retrieving current PKs (out of 85000 ASes on the internet) If you wait to verify before forwarding, you ll delay others (who can anyway verify on their own) AT&T wn m3 Georgeto AT&T wn At times of high load, need lazy (delayed) verification Comcast 33

  34. History-Free Variants x1 y2 x2 ? 1 f 1 2 K=(PK1, PK2, m1, m2)

  35. History-Free Variants x1 y2 x2 ? 1 f 1 2 K=(PK2, m2) Problem: not secure!

  36. Randomized History-Free Variant x1 ) y2 x2 ? 1 f 1 2 r2 K=(PK2, m2, Just add fresh randomness to the key for ?[Brogle-Goldberg-Reyzin 12] Drawback: final aggregate is r1 r2 rn xn not constant size but still better than nindividual sigs because each ri is short Intuition why it works: Adversary can t predict y2, so this is like FDH

  37. Deterministic History-Free Variant x1 ) y2 x2 ? 1 f 1 2 r2 K=(PK2, m2,

  38. Deterministic History-Free Variant x1 ) y2 x2 ? 1 f 1 2 K=(PK2, m2 tag = H(PK2, m2) Use tag-based TDP (tag is a public input that defines a fresh TDP) Tag-based TDP can be built on a variant of strong RSA [Kiltz-Mohassel-O Neill 10] Intuition why it works: chosen message attack will hit the wrong tag

  39. Outline Sequential Aggregate Signatures (SAS) Security Definition Prior Constructions [LMRS]: requires certified TDPs [Neven]: works even adversary gives nonpermutations! Our General Construction History-free variants (randomness or stronger assumption) 39

  40. Conclusion x1 y2 x2 ? 1 f 1 2 This Work: K=(PK1, PK2, m1, m2) - Simpler and easier to analyze - Unfortunately, current techniques for building ? have a large security loss, so parameters not practical (while [Neven 08] is practical assuming RO) - Let s build ideal ciphers with good parameters! - Question: if you build ?using RO, you need 8 rounds of Feistel. Neven works with 2 rounds of Feistel, but ends up with longer sigs. Do you really need an ideal cipher for the shorter sigs? 40

Related


Vatican Council. 1962-1965

Vatican Council. 1962-1965

eesa
Business Horoscope 2024

Business Horoscope 2024

Jyotishi
Health Horoscope 2024

Health Horoscope 2024

Jyotishi
Pregnancy Horoscope 2024

Pregnancy Horoscope 2024

Jyotishi
Optimization of Thermodynamic Balance Control in LEO Biosphere 2

Optimization of Thermodynamic Balance Control in LEO Biosphere 2

joziah
Techniques for Mastering Key Word Transformations in the C1 Advanced Use of English Exam

Techniques for Mastering Key Word Transformations in the C1 Advanced Use of English Exam

dev
CO2 Czech Solution Group: Advancing Industrial Carbon Capture and Utilization

CO2 Czech Solution Group: Advancing Industrial Carbon Capture and Utilization

raegan
CNF-FSS and Its Applications: PKC 2022 March 08

CNF-FSS and Its Applications: PKC 2022 March 08

zaynah
Insights from Leo Tolstoy's

Insights from Leo Tolstoy's "Three Questions

indigo
Có nên leo cầu thang khi mang thai 3 tháng cuối

Có nên leo cầu thang khi mang thai 3 tháng cuối

nhat
Có nên leo cầu thang khi mang thai không

Có nên leo cầu thang khi mang thai không

hanoi
Washington Township Trustee Meeting Highlights - September 28, 2021

Washington Township Trustee Meeting Highlights - September 28, 2021

adelyte
Washington Township Trustee Meeting Summary - June 8, 2021

Washington Township Trustee Meeting Summary - June 8, 2021

viktoria
Saint Leo University First Year Housing Guide 2017-2018

Saint Leo University First Year Housing Guide 2017-2018

bowen
Saint Leo University Transfer Housing Guide 2018-2019: Selection Process for Incoming Transfer Students

Saint Leo University Transfer Housing Guide 2018-2019: Selection Process for Incoming Transfer Students

katniss
Cách leo cầu thang giảm cân một cách an toàn

Cách leo cầu thang giảm cân một cách an toàn

nhat
Post-Quantum Cryptography Security Proofs and Models Overview

Post-Quantum Cryptography Security Proofs and Models Overview

siddhi
Bài tập leo cầu thang có giảm mỡ bụng không

Bài tập leo cầu thang có giảm mỡ bụng không

nhat
Ken Ludwig's Leading Ladies - A Comedy of Cross-Dressing and Deception

Ken Ludwig's Leading Ladies - A Comedy of Cross-Dressing and Deception

wmcde
Mang thai IVF leo cầu thang có an toàn không

Mang thai IVF leo cầu thang có an toàn không

satcanxidhabau
Washington Township Trustee Meeting Updates - July 2021

Washington Township Trustee Meeting Updates - July 2021

genn_33
Update on OCC Projects and Initiatives

Update on OCC Projects and Initiatives

roug_t

More Related Content