Loading in 2 Seconds...

Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)

Loading in 2 Seconds...

- 82 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about ' Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)' - nicola

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)

Dan Bonehand Xavier Boyen

J. Cryptol. (2008) 21: 149–177

Presenter: Yu-Chi Chen

About this paper

- One of the authors, Dan Boneh, is a well-known researcher in the areas of applied cryptography.
- The previous version (Eurocrypt 2004), cite: 600+. This paper is a full one (J. Cryptol.).
- His website: http://crypto.stanford.edu/~dabo/

Summary

- Part 1: Background of the security proof
- Part 2: Background of the security proof
- Part 3: BB-weakly secure short signature scheme with its security proof
- Part 4: BB-full short signature scheme with its security proof
- Part 5:(undecided)

Outline

- Introduction
- A simple signature scheme
- Security analysis
- Discussions
- Conclusions

Introduction

- Cryptographic scheme
- Security argument vs. Security proof
- Before 2000 vs. After 2000.

M. Bellareand P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols

- in Proceedings of the 1st ACM conference on Computer and communications security, 1993.
- Cite: 2800+

ROM: Random oracle model

- An adversary can ask to “Oracle” for it’s queries.
- Oracle is like a function: H:{0,1}*→{0,1}k.
- Ex: H(x) = y
- If the input, x, has been queried, Oracle will return the same value, y, as before.

ROM

- If the input, x, has never been queried, Oracle will randomly output y.
- The outputted values are uniform distribution.

Comments

- ROM vs. Standard model
- Hardness assumptions
- Attacks
- Security goals
- Efficiency

Comments

- Hardness assumptions:
- The RSA problem (formal)
- The variant RSA problem (informal)
- The CDH problem (formal)
- …

- Chosen message attack
- Adaptive chosen message attack
- Weak chosen message attack
- CPA, CCA, CCA-2,…

- Existential unforgeability
- Strong unforgeability
- …

- Computation
- Communication
- …

Outline

- Introduction
- A simple signature scheme
- Security analysis
- Discussions
- Conclusions

Secure signature

- (BB-SS, page 3)
- KeyGen: Outputs a random key pair (pk, sk).
- Sign: Takes skand a message M, then returns a signature σ.
- Verify: Takes pkand a signed message (σ , M), then returns valid or invalid.

Secure signature (cont.)

- (BB-SS, page 4)
- The signature scheme is said to be correct if the following property is satisfied.

Outline

- Introduction
- A simple signature scheme
- Security analysis
- Discussions
- Conclusions

Existential unforgeability

- Existential unforgeability
- Given n valid signatures of (M1,…,Mn), to output a forged signature of M* where M* not in {M1,…,Mn}.
- We construct a security game to model an attack to forge a signature existentially.

Roles

- A: the adversary
- Break the scheme
- Win this game
- C: the challenger
- Solve a hard problem
- Be an oracle to respond A’s request.

Security game

- Setup
- Attack
- Forgery

Computational Diffie-Hellman

- Given
- Compute

Security proof

- Setup:
- C returns pk to A.

Security proof

- Setup
- Attack:
- H queries.
- Sign queries.
- Forgery

H queries.

- A can query H(Mi).
- C maintains H-table, <M, Q, α, c>.
- If H(Mi)has been queried before, C will return H(Mi) as before.

H queries.

- If not, C will randomly pick a coinwith Pr[ci=0]=1/qS.
- If ci=0, C randomly choosesand returns .
- If ci=1, C randomly choosesand returns .
- Finally, C inserts (Mi, Qi, αi, ci) into H-table.

Sign queries.

- A can query a signature of a message Mi.
- If the message Mi maps to ci=0 in H-table, C will abort and terminate.
- If not, C will compute the signaturewhere αiis from H-table.
- σi is a valid signature without doubt.

Security proof

- Setup
- Attack:
- Forgery

Forgery

- A forges a signature σ* on M*.
- If M* does not map to c*=0, C will abort and terminate.
- The forged signature is valid, whereas the following equation holds.
- C can use A’s forgery to solve the CDH problem.

Security proof

- We conclude that A wins this game if and only if C does not abort in Attack and Forgery.
- Two events are as follows.
- E1: C does not abort in Attack such as Sign queries.
- E2: C does not abort in Forgery.
- Thus, we have
- The probability of A winning this game is .
- The probability of C winning this game is .

Outline

- Introduction
- A simple signature scheme
- Security analysis
- Discussions
- Conclusions

A new assumption

- According to the above proof, we can obtain a new assumption.
- Given
- Find a pair where

Conclusions

- We give a simple signature scheme to introduce the security proof.

Download Presentation

Connecting to Server..