Short signatures without random oracles and the sdh assumption in bilinear groups part 1
Download
1 / 35

Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.) - PowerPoint PPT Presentation


  • 82 Views
  • Uploaded on

Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.). Dan Boneh and Xavier Boyen J. Cryptol . (2008) 21: 149–177 Presenter: Yu-Chi Chen. About this paper.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)' - nicola


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Short signatures without random oracles and the sdh assumption in bilinear groups part 1

Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)

Dan Bonehand Xavier Boyen

J. Cryptol. (2008) 21: 149–177

Presenter: Yu-Chi Chen


About this paper
About this paper

  • One of the authors, Dan Boneh, is a well-known researcher in the areas of applied cryptography.

  • The previous version (Eurocrypt 2004), cite: 600+. This paper is a full one (J. Cryptol.).

  • His website: http://crypto.stanford.edu/~dabo/


Summary
Summary

  • Part 1: Background of the security proof

  • Part 2: Background of the security proof

  • Part 3: BB-weakly secure short signature scheme with its security proof

  • Part 4: BB-full short signature scheme with its security proof

  • Part 5:(undecided)


Outline
Outline

  • Introduction

  • A simple signature scheme

  • Security analysis

  • Discussions

  • Conclusions


Introduction
Introduction

  • Cryptographic scheme

  • Security argument vs. Security proof

  • Before 2000 vs. After 2000.


  • M. Bellareand P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols

    • in Proceedings of the 1st ACM conference on Computer and communications security, 1993.

    • Cite: 2800+


Rom random oracle model
ROM: Random oracle model

  • An adversary can ask to “Oracle” for it’s queries.

  • Oracle is like a function: H:{0,1}*→{0,1}k.

    • Ex: H(x) = y

  • If the input, x, has been queried, Oracle will return the same value, y, as before.


ROM

  • If the input, x, has never been queried, Oracle will randomly output y.

  • The outputted values are uniform distribution.


Comments
Comments

  • ROM vs. Standard model

    • Hardness assumptions

    • Attacks

    • Security goals

    • Efficiency


Comments1
Comments

  • Hardness assumptions:

    • The RSA problem (formal)

    • The variant RSA problem (informal)

    • The CDH problem (formal)


  • Attacks

    • Chosen message attack

    • Adaptive chosen message attack

    • Weak chosen message attack

    • CPA, CCA, CCA-2,…




Outline1
Outline

  • Introduction

  • A simple signature scheme

  • Security analysis

  • Discussions

  • Conclusions


Secure signature
Secure signature

  • (BB-SS, page 3)

  • KeyGen: Outputs a random key pair (pk, sk).

  • Sign: Takes skand a message M, then returns a signature σ.

  • Verify: Takes pkand a signed message (σ , M), then returns valid or invalid.


Secure signature cont
Secure signature (cont.)

  • (BB-SS, page 4)

  • The signature scheme is said to be correct if the following property is satisfied.


Signature scheme
Signature scheme

  • KeyGen:

  • Sign:

  • Verify:


Outline2
Outline

  • Introduction

  • A simple signature scheme

  • Security analysis

  • Discussions

  • Conclusions


Existential unforgeability
Existential unforgeability

  • Existential unforgeability

    • Given n valid signatures of (M1,…,Mn), to output a forged signature of M* where M* not in {M1,…,Mn}.

  • We construct a security game to model an attack to forge a signature existentially.


Roles
Roles

  • A: the adversary

    • Break the scheme

    • Win this game

  • C: the challenger

    • Solve a hard problem

    • Be an oracle to respond A’s request.


Security game
Security game

  • Setup

  • Attack

  • Forgery


Attack

Queries

Response

Challenger

Adversary

Setup


Forgery

Forgery

Challenger

Adversary

Solve a hard problem


Computational diffie hellman
Computational Diffie-Hellman

  • Given

  • Compute


Security proof
Security proof

  • Setup:

  • C returns pk to A.


Security proof1
Security proof

  • Setup

  • Attack:

    • H queries.

    • Sign queries.

  • Forgery


H queries
H queries.

  • A can query H(Mi).

  • C maintains H-table, <M, Q, α, c>.

  • If H(Mi)has been queried before, C will return H(Mi) as before.


H queries1
H queries.

  • If not, C will randomly pick a coinwith Pr[ci=0]=1/qS.

    • If ci=0, C randomly choosesand returns .

    • If ci=1, C randomly choosesand returns .

  • Finally, C inserts (Mi, Qi, αi, ci) into H-table.


Sign queries
Sign queries.

  • A can query a signature of a message Mi.

  • If the message Mi maps to ci=0 in H-table, C will abort and terminate.

  • If not, C will compute the signaturewhere αiis from H-table.

    • σi is a valid signature without doubt.


Security proof2
Security proof

  • Setup

  • Attack:

  • Forgery


Forgery
Forgery

  • A forges a signature σ* on M*.

  • If M* does not map to c*=0, C will abort and terminate.

  • The forged signature is valid, whereas the following equation holds.

  • C can use A’s forgery to solve the CDH problem.


Security proof3
Security proof

  • We conclude that A wins this game if and only if C does not abort in Attack and Forgery.

  • Two events are as follows.

    • E1: C does not abort in Attack such as Sign queries.

    • E2: C does not abort in Forgery.

  • Thus, we have

    • The probability of A winning this game is .

    • The probability of C winning this game is .


Outline3
Outline

  • Introduction

  • A simple signature scheme

  • Security analysis

  • Discussions

  • Conclusions


A new assumption
A new assumption

  • According to the above proof, we can obtain a new assumption.

  • Given

  • Find a pair where


Conclusions
Conclusions

  • We give a simple signature scheme to introduce the security proof.


ad