1 / 35

Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)

Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.). Dan Boneh and Xavier Boyen J. Cryptol . (2008) 21: 149–177 Presenter: Yu-Chi Chen. About this paper.

nicola
Download Presentation

Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.) Dan Bonehand Xavier Boyen J. Cryptol. (2008) 21: 149–177 Presenter: Yu-Chi Chen

  2. About this paper • One of the authors, Dan Boneh, is a well-known researcher in the areas of applied cryptography. • The previous version (Eurocrypt 2004), cite: 600+. This paper is a full one (J. Cryptol.). • His website: http://crypto.stanford.edu/~dabo/

  3. Summary • Part 1: Background of the security proof • Part 2: Background of the security proof • Part 3: BB-weakly secure short signature scheme with its security proof • Part 4: BB-full short signature scheme with its security proof • Part 5:(undecided)

  4. Outline • Introduction • A simple signature scheme • Security analysis • Discussions • Conclusions

  5. Introduction • Cryptographic scheme • Security argument vs. Security proof • Before 2000 vs. After 2000.

  6. M. Bellareand P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols • in Proceedings of the 1st ACM conference on Computer and communications security, 1993. • Cite: 2800+

  7. ROM: Random oracle model • An adversary can ask to “Oracle” for it’s queries. • Oracle is like a function: H:{0,1}*→{0,1}k. • Ex: H(x) = y • If the input, x, has been queried, Oracle will return the same value, y, as before.

  8. ROM • If the input, x, has never been queried, Oracle will randomly output y. • The outputted values are uniform distribution.

  9. Comments • ROM vs. Standard model • Hardness assumptions • Attacks • Security goals • Efficiency

  10. Comments • Hardness assumptions: • The RSA problem (formal) • The variant RSA problem (informal) • The CDH problem (formal) • …

  11. Attacks • Chosen message attack • Adaptive chosen message attack • Weak chosen message attack • CPA, CCA, CCA-2,…

  12. Security goals • Existential unforgeability • Strong unforgeability • …

  13. Efficiency • Computation • Communication • …

  14. Outline • Introduction • A simple signature scheme • Security analysis • Discussions • Conclusions

  15. Secure signature • (BB-SS, page 3) • KeyGen: Outputs a random key pair (pk, sk). • Sign: Takes skand a message M, then returns a signature σ. • Verify: Takes pkand a signed message (σ , M), then returns valid or invalid.

  16. Secure signature (cont.) • (BB-SS, page 4) • The signature scheme is said to be correct if the following property is satisfied.

  17. Signature scheme • KeyGen: • Sign: • Verify:

  18. Outline • Introduction • A simple signature scheme • Security analysis • Discussions • Conclusions

  19. Existential unforgeability • Existential unforgeability • Given n valid signatures of (M1,…,Mn), to output a forged signature of M* where M* not in {M1,…,Mn}. • We construct a security game to model an attack to forge a signature existentially.

  20. Roles • A: the adversary • Break the scheme • Win this game • C: the challenger • Solve a hard problem • Be an oracle to respond A’s request.

  21. Security game • Setup • Attack • Forgery

  22. Attack Queries Response Challenger Adversary Setup

  23. Forgery Forgery Challenger Adversary Solve a hard problem

  24. Computational Diffie-Hellman • Given • Compute

  25. Security proof • Setup: • C returns pk to A.

  26. Security proof • Setup • Attack: • H queries. • Sign queries. • Forgery

  27. H queries. • A can query H(Mi). • C maintains H-table, <M, Q, α, c>. • If H(Mi)has been queried before, C will return H(Mi) as before.

  28. H queries. • If not, C will randomly pick a coinwith Pr[ci=0]=1/qS. • If ci=0, C randomly choosesand returns . • If ci=1, C randomly choosesand returns . • Finally, C inserts (Mi, Qi, αi, ci) into H-table.

  29. Sign queries. • A can query a signature of a message Mi. • If the message Mi maps to ci=0 in H-table, C will abort and terminate. • If not, C will compute the signaturewhere αiis from H-table. • σi is a valid signature without doubt.

  30. Security proof • Setup • Attack: • Forgery

  31. Forgery • A forges a signature σ* on M*. • If M* does not map to c*=0, C will abort and terminate. • The forged signature is valid, whereas the following equation holds. • C can use A’s forgery to solve the CDH problem.

  32. Security proof • We conclude that A wins this game if and only if C does not abort in Attack and Forgery. • Two events are as follows. • E1: C does not abort in Attack such as Sign queries. • E2: C does not abort in Forgery. • Thus, we have • The probability of A winning this game is . • The probability of C winning this game is .

  33. Outline • Introduction • A simple signature scheme • Security analysis • Discussions • Conclusions

  34. A new assumption • According to the above proof, we can obtain a new assumption. • Given • Find a pair where

  35. Conclusions • We give a simple signature scheme to introduce the security proof.

More Related