Short signatures without random oracles and the sdh assumption in bilinear groups part 1
Download
1 / 35

Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.) - PowerPoint PPT Presentation


  • 83 Views
  • Uploaded on

Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.). Dan Boneh and Xavier Boyen J. Cryptol . (2008) 21: 149–177 Presenter: Yu-Chi Chen. About this paper.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)' - nicola


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Short signatures without random oracles and the sdh assumption in bilinear groups part 1

Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups (Part 1.)

Dan Bonehand Xavier Boyen

J. Cryptol. (2008) 21: 149–177

Presenter: Yu-Chi Chen


About this paper
About this paper

  • One of the authors, Dan Boneh, is a well-known researcher in the areas of applied cryptography.

  • The previous version (Eurocrypt 2004), cite: 600+. This paper is a full one (J. Cryptol.).

  • His website: http://crypto.stanford.edu/~dabo/


Summary
Summary

  • Part 1: Background of the security proof

  • Part 2: Background of the security proof

  • Part 3: BB-weakly secure short signature scheme with its security proof

  • Part 4: BB-full short signature scheme with its security proof

  • Part 5:(undecided)


Outline
Outline

  • Introduction

  • A simple signature scheme

  • Security analysis

  • Discussions

  • Conclusions


Introduction
Introduction

  • Cryptographic scheme

  • Security argument vs. Security proof

  • Before 2000 vs. After 2000.


Short signatures without random oracles and the sdh assumption in bilinear groups part 1

  • M. Bellareand P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols

    • in Proceedings of the 1st ACM conference on Computer and communications security, 1993.

    • Cite: 2800+


Rom random oracle model
ROM: Random oracle model

  • An adversary can ask to “Oracle” for it’s queries.

  • Oracle is like a function: H:{0,1}*→{0,1}k.

    • Ex: H(x) = y

  • If the input, x, has been queried, Oracle will return the same value, y, as before.


Short signatures without random oracles and the sdh assumption in bilinear groups part 1
ROM

  • If the input, x, has never been queried, Oracle will randomly output y.

  • The outputted values are uniform distribution.


Comments
Comments

  • ROM vs. Standard model

    • Hardness assumptions

    • Attacks

    • Security goals

    • Efficiency


Comments1
Comments

  • Hardness assumptions:

    • The RSA problem (formal)

    • The variant RSA problem (informal)

    • The CDH problem (formal)


Short signatures without random oracles and the sdh assumption in bilinear groups part 1

  • Attacks

    • Chosen message attack

    • Adaptive chosen message attack

    • Weak chosen message attack

    • CPA, CCA, CCA-2,…


Short signatures without random oracles and the sdh assumption in bilinear groups part 1


Short signatures without random oracles and the sdh assumption in bilinear groups part 1


Outline1
Outline

  • Introduction

  • A simple signature scheme

  • Security analysis

  • Discussions

  • Conclusions


Secure signature
Secure signature

  • (BB-SS, page 3)

  • KeyGen: Outputs a random key pair (pk, sk).

  • Sign: Takes skand a message M, then returns a signature σ.

  • Verify: Takes pkand a signed message (σ , M), then returns valid or invalid.


Secure signature cont
Secure signature (cont.)

  • (BB-SS, page 4)

  • The signature scheme is said to be correct if the following property is satisfied.


Signature scheme
Signature scheme

  • KeyGen:

  • Sign:

  • Verify:


Outline2
Outline

  • Introduction

  • A simple signature scheme

  • Security analysis

  • Discussions

  • Conclusions


Existential unforgeability
Existential unforgeability

  • Existential unforgeability

    • Given n valid signatures of (M1,…,Mn), to output a forged signature of M* where M* not in {M1,…,Mn}.

  • We construct a security game to model an attack to forge a signature existentially.


Roles
Roles

  • A: the adversary

    • Break the scheme

    • Win this game

  • C: the challenger

    • Solve a hard problem

    • Be an oracle to respond A’s request.


Security game
Security game

  • Setup

  • Attack

  • Forgery


Short signatures without random oracles and the sdh assumption in bilinear groups part 1

Attack

Queries

Response

Challenger

Adversary

Setup


Short signatures without random oracles and the sdh assumption in bilinear groups part 1

Forgery

Forgery

Challenger

Adversary

Solve a hard problem


Computational diffie hellman
Computational Diffie-Hellman

  • Given

  • Compute


Security proof
Security proof

  • Setup:

  • C returns pk to A.


Security proof1
Security proof

  • Setup

  • Attack:

    • H queries.

    • Sign queries.

  • Forgery


H queries
H queries.

  • A can query H(Mi).

  • C maintains H-table, <M, Q, α, c>.

  • If H(Mi)has been queried before, C will return H(Mi) as before.


H queries1
H queries.

  • If not, C will randomly pick a coinwith Pr[ci=0]=1/qS.

    • If ci=0, C randomly choosesand returns .

    • If ci=1, C randomly choosesand returns .

  • Finally, C inserts (Mi, Qi, αi, ci) into H-table.


Sign queries
Sign queries.

  • A can query a signature of a message Mi.

  • If the message Mi maps to ci=0 in H-table, C will abort and terminate.

  • If not, C will compute the signaturewhere αiis from H-table.

    • σi is a valid signature without doubt.


Security proof2
Security proof

  • Setup

  • Attack:

  • Forgery


Forgery
Forgery

  • A forges a signature σ* on M*.

  • If M* does not map to c*=0, C will abort and terminate.

  • The forged signature is valid, whereas the following equation holds.

  • C can use A’s forgery to solve the CDH problem.


Security proof3
Security proof

  • We conclude that A wins this game if and only if C does not abort in Attack and Forgery.

  • Two events are as follows.

    • E1: C does not abort in Attack such as Sign queries.

    • E2: C does not abort in Forgery.

  • Thus, we have

    • The probability of A winning this game is .

    • The probability of C winning this game is .


Outline3
Outline

  • Introduction

  • A simple signature scheme

  • Security analysis

  • Discussions

  • Conclusions


A new assumption
A new assumption

  • According to the above proof, we can obtain a new assumption.

  • Given

  • Find a pair where


Conclusions
Conclusions

  • We give a simple signature scheme to introduce the security proof.