short signatures without random oracles and the sdh assumption in bilinear groups part 1
Download
Skip this Video
Download Presentation
Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)

Loading in 2 Seconds...

play fullscreen
1 / 35

Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.) - PowerPoint PPT Presentation


  • 82 Views
  • Uploaded on

Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.). Dan Boneh and Xavier Boyen J. Cryptol . (2008) 21: 149–177 Presenter: Yu-Chi Chen. About this paper.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)' - nicola


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
short signatures without random oracles and the sdh assumption in bilinear groups part 1

Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)

Dan Bonehand Xavier Boyen

J. Cryptol. (2008) 21: 149–177

Presenter: Yu-Chi Chen

about this paper
About this paper
  • One of the authors, Dan Boneh, is a well-known researcher in the areas of applied cryptography.
  • The previous version (Eurocrypt 2004), cite: 600+. This paper is a full one (J. Cryptol.).
  • His website: http://crypto.stanford.edu/~dabo/
summary
Summary
  • Part 1: Background of the security proof
  • Part 2: Background of the security proof
  • Part 3: BB-weakly secure short signature scheme with its security proof
  • Part 4: BB-full short signature scheme with its security proof
  • Part 5:(undecided)
outline
Outline
  • Introduction
  • A simple signature scheme
  • Security analysis
  • Discussions
  • Conclusions
introduction
Introduction
  • Cryptographic scheme
  • Security argument vs. Security proof
  • Before 2000 vs. After 2000.
slide6

M. Bellareand P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols

    • in Proceedings of the 1st ACM conference on Computer and communications security, 1993.
    • Cite: 2800+
rom random oracle model
ROM: Random oracle model
  • An adversary can ask to “Oracle” for it’s queries.
  • Oracle is like a function: H:{0,1}*→{0,1}k.
    • Ex: H(x) = y
  • If the input, x, has been queried, Oracle will return the same value, y, as before.
slide8
ROM
  • If the input, x, has never been queried, Oracle will randomly output y.
  • The outputted values are uniform distribution.
comments
Comments
  • ROM vs. Standard model
    • Hardness assumptions
    • Attacks
    • Security goals
    • Efficiency
comments1
Comments
  • Hardness assumptions:
    • The RSA problem (formal)
    • The variant RSA problem (informal)
    • The CDH problem (formal)
slide11

Attacks

    • Chosen message attack
    • Adaptive chosen message attack
    • Weak chosen message attack
    • CPA, CCA, CCA-2,…
slide12

Security goals

  • Existential unforgeability
  • Strong unforgeability
slide13

Efficiency

    • Computation
    • Communication
outline1
Outline
  • Introduction
  • A simple signature scheme
  • Security analysis
  • Discussions
  • Conclusions
secure signature
Secure signature
  • (BB-SS, page 3)
  • KeyGen: Outputs a random key pair (pk, sk).
  • Sign: Takes skand a message M, then returns a signature σ.
  • Verify: Takes pkand a signed message (σ , M), then returns valid or invalid.
secure signature cont
Secure signature (cont.)
  • (BB-SS, page 4)
  • The signature scheme is said to be correct if the following property is satisfied.
signature scheme
Signature scheme
  • KeyGen:
  • Sign:
  • Verify:
outline2
Outline
  • Introduction
  • A simple signature scheme
  • Security analysis
  • Discussions
  • Conclusions
existential unforgeability
Existential unforgeability
  • Existential unforgeability
    • Given n valid signatures of (M1,…,Mn), to output a forged signature of M* where M* not in {M1,…,Mn}.
  • We construct a security game to model an attack to forge a signature existentially.
roles
Roles
  • A: the adversary
    • Break the scheme
    • Win this game
  • C: the challenger
    • Solve a hard problem
    • Be an oracle to respond A’s request.
security game
Security game
  • Setup
  • Attack
  • Forgery
slide22

Attack

Queries

Response

Challenger

Adversary

Setup

slide23

Forgery

Forgery

Challenger

Adversary

Solve a hard problem

security proof
Security proof
  • Setup:
  • C returns pk to A.
security proof1
Security proof
  • Setup
  • Attack:
    • H queries.
    • Sign queries.
  • Forgery
h queries
H queries.
  • A can query H(Mi).
  • C maintains H-table, <M, Q, α, c>.
  • If H(Mi)has been queried before, C will return H(Mi) as before.
h queries1
H queries.
  • If not, C will randomly pick a coinwith Pr[ci=0]=1/qS.
    • If ci=0, C randomly choosesand returns .
    • If ci=1, C randomly choosesand returns .
  • Finally, C inserts (Mi, Qi, αi, ci) into H-table.
sign queries
Sign queries.
  • A can query a signature of a message Mi.
  • If the message Mi maps to ci=0 in H-table, C will abort and terminate.
  • If not, C will compute the signaturewhere αiis from H-table.
    • σi is a valid signature without doubt.
security proof2
Security proof
  • Setup
  • Attack:
  • Forgery
forgery
Forgery
  • A forges a signature σ* on M*.
  • If M* does not map to c*=0, C will abort and terminate.
  • The forged signature is valid, whereas the following equation holds.
  • C can use A’s forgery to solve the CDH problem.
security proof3
Security proof
  • We conclude that A wins this game if and only if C does not abort in Attack and Forgery.
  • Two events are as follows.
    • E1: C does not abort in Attack such as Sign queries.
    • E2: C does not abort in Forgery.
  • Thus, we have
    • The probability of A winning this game is .
    • The probability of C winning this game is .
outline3
Outline
  • Introduction
  • A simple signature scheme
  • Security analysis
  • Discussions
  • Conclusions
a new assumption
A new assumption
  • According to the above proof, we can obtain a new assumption.
  • Given
  • Find a pair where
conclusions
Conclusions
  • We give a simple signature scheme to introduce the security proof.
ad