Sequential Aggregate Signatures and Multisignatures Without Random Oracles Steve Lu, Rafail Ostrovsky, Amit Sahai, Hovav Shacham, and Brent Waters.

Download Report

Transcript Sequential Aggregate Signatures and Multisignatures Without Random Oracles Steve Lu, Rafail Ostrovsky, Amit Sahai, Hovav Shacham, and Brent Waters.

Sequential Aggregate Signatures
and Multisignatures
Without Random Oracles
Steve Lu, Rafail Ostrovsky, Amit Sahai,
Hovav Shacham, and Brent Waters
1
Secure BGP
BGP “Speakers” send path updates messages
 S-BGP sequence of messages + sigs.
4096 byte size limit
(M1,1)
(M1,1), (M2,2), (M3,3)
(M1,1), (M2,2)
2
Aggregate Sigs [BGLS03]
Sign
Aggregate
3
Aggregate Signatures
[BGLS03]
 A single short aggregate provides
nonrepudiation for many different messages
under many different keys
 More general than multisignatures
 Applications:
 X.509 certificate chains
Verisign
Versign Europe
 Secure BGP route attestations
 PGP web of trust
NatWest
NatWest WWW
4
BGLS Aggregate Sigs
BLS Sigs:
PK = ga
Sign(SK,M):
SK=a
=H(M)a
Verify(PK,M,): e(,g)=e( H(M), PK)
Secure in R.O. Model --- Deterministic Signatures
5
BGLS Aggregate Sigs
PKi = gai
SKi=ai
Sign(SKi,Mi):
i=H(Mi)ai
Aggregate(1,…n):
*=i=1…n i
Verify(PKi,M1,…,Mn ,*): e(*,g)= i=1,…n e( H(Mi), PKi)
Verification requires n pairings
6
Difficulty w/o Random Oracles

Known efficient signatures have a random component
• Strong RSA sigs[GHR’ 99, CS’99]
• B-Map [BB’04,CL’04.W’05]
• Tree- sigs

Difficult to aggregate
• Independent signatures => Independent randomness
7
Sequential Aggregates
[LMRS’04]
Sign and Aggregate
 Signing and Aggregation are a single operation
 Inherently sequenced; not appropriate for PGP
8
Our Approach

Build from W’05 signatures

Signer uses same randomess from previous sig

Then re-randomizes
9
Our Aggregate Sigs
W’05 Sigs:
PK = e(g,g)a ,h, u1,…,um
Sign(SK,M):
SK=a
=(’,’’)=ga (h i=1,…m uMi)r , g-r
Verify(PK,M,): e( ’,g) e( ’’, h i=1,…m uMi)=e(g,g)a
Secure w/o R.O.s
10
Our Aggregate Sigs
PKi = e(g,g)ai ,hi=gyi’, ui,1=gyi,1…,um, =gyi,m
SK =ai ,yi’, yi,1,…,yi,m
Know DL PK
Agg(SKi,Mi,*=1,2):
x=DL(h j=1,…m uMi,j )
*=(’,’’)=ga 2x 1, 2
Verify(PK,M1,…Mn,*=(’,’’)):
e( ’,g) e( ’’, i=1…n hj j=1,…m uMi,j)=i=1…n e(g,g)ai
11
Comparisons
Scheme
R.O.
Sequential Size
Ver.
Sign
BGLS
YES
NO
160
bits
n+1
parings
1 exp.
LMRS-2
YES
YES
1024
bits
4 mult.
Ver. +
1 exp.
Ours
NO
YES
320
bits
2 pairings Ver. +
1 exp.
Shorter than LMRS
Faster Ver. than BGLS
12
Summary and Open Problems

Sequential Aggregate Signatures w/o R.O.
• Use same randomness sequentially
• Arguably better Performance than R.O. schemes

Multi-Sigs and Verifiable Enc. Sigs

Shorter Public Parameters
• Certificate Chains

Full Aggregate Signatures
13
THE END
14
Sequential Aggregate ChosenKey Model
AggSign() oracle
Adversary
Nontriviality:
 σ* is a valid sequential aggregate
 challenge key pk = pkj* for some j;
 No oracle query at pk1*,…,pkj*;M1*,…,Mj*.
15