Download
1 / 15
150 likes | 234 Views
This paper introduces a secure method for sequential aggregate signatures, offering nonrepudiation for multiple messages under different keys without the need for random oracles. This approach, derived from W’05 signatures, ensures signer efficiency by reusing randomness from previous signatures. The paper elaborates on the concept of aggregate signatures, discussing applications such as X.509 certificate chains and Secure BGP route attestations. Verification of such aggregate signatures requires specific pairings, and the difficulty of achieving this without random oracles is noted, contrasting with traditional efficient signatures that have a random component. The paper also outlines the challenges and solutions in implementing this sequential aggregate signature scheme without random oracles, comparing it with existing methods and highlighting its potential benefits in terms of performance and security.
E N D
Sequential Aggregate Signatures and MultisignaturesWithout Random Oracles Steve Lu, Rafail Ostrovsky, Amit Sahai, Hovav Shacham, and Brent Waters
Secure BGP • BGP “Speakers” send path updates messages • S-BGP sequence of messages + sigs. • 4096 byte size limit (M1,1) (M1,1), (M2,2), (M3,3) (M1,1), (M2,2)
Aggregate Sigs [BGLS03] Sign Aggregate
Verisign Versign Europe NatWest NatWest WWW Aggregate Signatures [BGLS03] • A single short aggregate provides nonrepudiation for many different messages under many different keys • More general than multisignatures • Applications: • X.509 certificate chains • Secure BGP route attestations • PGP web of trust
BGLS Aggregate Sigs BLS Sigs: PK = ga SK=a Sign(SK,M): =H(M)a Verify(PK,M,): e(,g)=e( H(M), PK) Secure in R.O. Model --- Deterministic Signatures
BGLS Aggregate Sigs PKi = gai SKi=ai Sign(SKi,Mi): i=H(Mi)ai Aggregate(1,…n): *=i=1…ni Verify(PKi,M1,…,Mn ,*): e(*,g)=i=1,…n e( H(Mi), PKi) Verification requires n pairings
Difficulty w/o Random Oracles • Known efficient signatures have a random component • Strong RSA sigs[GHR’ 99, CS’99] • B-Map [BB’04,CL’04.W’05] • Tree- sigs • Difficult to aggregate • Independent signatures => Independent randomness
Sequential Aggregates [LMRS’04] • Signing and Aggregation are a single operation • Inherently sequenced; not appropriate for PGP Sign and Aggregate
Our Approach • Build from W’05 signatures • Signer uses same randomess from previous sig • Then re-randomizes
Our Aggregate Sigs W’05 Sigs: PK = e(g,g)a ,h, u1,…,um SK=a Sign(SK,M): =(’,’’)=ga (h i=1,…m uMi)r , g-r Verify(PK,M,): e( ’,g) e( ’’, h i=1,…m uMi)=e(g,g)a Secure w/o R.O.s
Our Aggregate Sigs PKi = e(g,g)ai ,hi=gyi’, ui,1=gyi,1…,um, =gyi,m SK =ai ,yi’, yi,1,…,yi,m Agg(SKi,Mi,*=1,2): x=DL(h j=1,…m uMi,j ) • *=(’,’’)=ga2x1, 2 Verify(PK,M1,…Mn,*=(’,’’)): e( ’,g) e( ’’, i=1…n hjj=1,…m uMi,j)=i=1…n e(g,g)ai Know DL PK
Comparisons Shorter than LMRS Faster Ver. than BGLS
Summary and Open Problems • Sequential Aggregate Signatures w/o R.O. • Use same randomness sequentially • Arguably better Performance than R.O. schemes • Multi-Sigs and Verifiable Enc. Sigs • Shorter Public Parameters • Certificate Chains • Full Aggregate Signatures
Sequential Aggregate Chosen-Key Model • Nontriviality: • σ* is a valid sequential aggregate • challenge key pk = pkj* for some j; • No oracle query at pk1*,…,pkj*;M1*,…,Mj*. AggSign() oracle Adversary
