Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)
Sequential Aggregate Signatures and Multisignatures Without Random Oracles
description
Transcript of Sequential Aggregate Signatures and Multisignatures Without Random Oracles
1
Sequential Aggregate Signatures
and MultisignaturesWithout Random Oracles
Steve Lu, Rafail Ostrovsky, Amit Sahai, Hovav Shacham, and Brent Waters
2
Secure BGPBGP “Speakers” send path updates messages S-BGP sequence of messages + sigs.4096 byte size limit
(M1,1)
(M1,1), (M2,2)
(M1,1), (M2,2), (M3,3)
3
Aggregate Sigs [BGLS03]
Sign Aggregate
4
Aggregate Signatures [BGLS03]
A single short aggregate provides nonrepudiation for many different messages under many different keys
More general than multisignatures
Applications: X.509 certificate chains Secure BGP route attestations PGP web of trust
VerisignVersign Europe
NatWestNatWest
WWW
5
BGLS Aggregate SigsBLS Sigs:
PK = ga SK=a
Sign(SK,M): =H(M)a
Verify(PK,M,): e(,g)=e( H(M), PK)
Secure in R.O. Model --- Deterministic Signatures
6
BGLS Aggregate SigsPKi = gai SKi=ai
Sign(SKi,Mi): i=H(M)i
Aggregate(1,…n): *=i=1… i
Verify(PKi,M1,…,Mn ,*): e(*,g)= i=1,…n e( H(Mi), PKi)
Verification requires n pairings
7
Difficulty w/o Random Oracles Known efficient signatures have a random
component•Strong RSA sigs[GHR’ 99, CS’99]•B-Map [BB’04,CL’04.W’05]•Tree- sigs
Difficult to aggregate • Independent signatures => Independent
randomness
8
Sequential Aggregates [LMRS’04]
Signing and Aggregation are a single operation
Inherently sequenced; not appropriate for PGP
Sign and Aggregate
9
Our Approach Build from W’05 signatures
Signer uses same randomess from previous sig
Then re-randomizes
10
Our Aggregate SigsW’05 Sigs:
PK = e(g,g)a ,h, u1,…,um SK=a
Sign(SK,M): =(’,’’)=ga (h i=1,…m uMi)r , g-r
Verify(PK,M,): e(’,g) e( ’’, h i=1,…m uMi)=e(g,g)a
Secure w/o R.O.s
11
Our Aggregate SigsPKi = e(g,g)ai ,hi=gyi’, ui,1=gyi,1…,um, =gyi,m
SK =ai ,yi’, yi,1,…,yi,m
Agg(SKi,Mi,*=1,2):
x=DL(h j=1,…m uMi,j ) =(’,’’)=ga 2x 1, 2
Verify(PK,M1,…Mn,*=(’,’’)): e(’,g) e( ’’, i1…n
hj j=1,…m uMi,j)=i=1…n e(g,g)ai
Know DL PK
12
ComparisonsScheme R.O. Sequenti
alSize Ver. Sign
BGLS YES NO 160 bits
n+1 parings
1 exp.
LMRS-2 YES YES 1024 bits
4 mult. Ver. +1 exp.
Ours NO YES 320 bits
2 pairings
Ver. +1 exp.
Shorter than LMRS Faster Ver. than BGLS
13
Summary and Open Problems Sequential Aggregate Signatures w/o R.O.
•Use same randomness sequentially•Arguably better Performance than R.O.
schemes
Multi-Sigs and Verifiable Enc. Sigs
Shorter Public Parameters•Certificate Chains
Full Aggregate Signatures
14
THE END
15
Sequential Aggregate Chosen-Key Model
Nontriviality:
σ* is a valid sequential aggregate
challenge key pk = pkj* for some j;
No oracle query at pk1*,…,pk
j*;M
1*,…,M
j*.
AdversaryAggSign() oracle