transitive signatures based on factoring and rsa mihir bellare (university of california, san diego,...
TRANSCRIPT
Transitive Signatures based on Factoring and RSA
Mihir Bellare (University of California, San Diego, USA)
Gregory Neven (Katholieke Universiteit Leuven, Belgium)
2
Standard digital signatures
M
SSignssk
σM
SVf
σ’
spkaccept /reject
SKG (spk,ssk)1k
3
σ2,3
3
σi,ji,j
Transitive signatures [MR02] Message is pair of nodes i,j
Signing i,j = creating and authenticating edge {i,j}
An authenticated graph grows with time
σ1,2
σ1,21,2
1
2
i,j
TSigntsk
TVf
σ’i,j
tpk
TKG (tpk,tsk)1k
accept /reject
σ2,32,3
σ4,54 5
σ4,54,5
4
Transitive signatures [MR02]
Compi,j,k
σi,j
σi,k
tpk
σj,k
Additional composition algorithm
1
2σ1,2
3
σ2,3
4 5σ4,5
Authenticated graph is transitive closure of directly signed edges
1,2,3
σ1,2
σ2,3
σ1,3σ1,3
i,j
TSigntsk
σi,ji,j
TVf
σ’i,j
tpkaccept /reject
TKG (tpk,tsk)1k
5
Security of transitive signatures Standard security definition of [GMR] doesn’t apply:
composition allows forgery to some extent
New security goal [MR02]: computationally infeasible to forge signatures not in transitive
closure of the edges signed directly by the signer even under “chosen-edge” attack
F
tpk
{1,4}, σ1,4
σ1,4
σ1,3
σ1,2 σ2,3
σ4,5
1
2
3
4 5
σ1,2,σ2,3,σ4,5
1,2 ║ 2,3 ║ 4,5TSigntsk(·,·)2,3
σ2,3
1,2
σ1,2
4,5
σ4,5
TSigntsk(·,·)
6
Why transitive signatures?
Applications? Micali and Rivest suggest military chain-of-command (directed) administrative domains (undirected)
Compelling application yet to be found
But a cool concept!
7
σ1,2
1,y1 2,y2 signature σ1,2 = ( , , δ1,2)
RSATS-1: RSA based scheme [MR02]
tpk = (spk, N, e)
tsk = ssk
Assume standard signature scheme with key pair (spk,ssk) message M signed under sskM
1
2
3Signer assigns to each node i:
← Z*RN
x1
x2
x3 secret label xi,y1
,y2
,y3
public label yi ← xie mod N
i,yi node certificate
1,y1
2,y2
3,y3
To sign edge {1,2}:
edge label δ1,2 ← x1·x2-1 mod N
Verification of ( , , δ1,2):1,y1 2,y2
check node certificates
check δ1,2 = y1·y2-1 mod Ne
8
Composition in RSATS-1
To compose signatures σ1,2 and σ2,3:
σ1,2 = ( , , δ1,2)
where δ1,2 = x1·x2-1 mod N
1,y1
σ2,3 = ( , , δ2,3)
where δ2,3 = x2·x3-1 mod N
2,y2 3,y3
δ1,2·δ2,3 mod N
= (x1·x2-1)(x2·x3
-1) mod N
= x1·x3-1 mod N
2,y2
1,y1 3,y3
xi are kept in signer’s state
σ1,3 = ( , , δ1,3)
where δ1,3 =
σ1,3
1
2
3
x1
x2
x3,y1
,y2
,y31,y1 3,y3
σ1,2 σ2,3
2,y2
9
Non-adaptive security of RSATS-1
RSATS-1 can be proven transitively secure against forgery under non-adaptive chosen-edge attack if
RSA is one-way underlying standard signature scheme is secure under chosen-
message attack
Is RSATS-1 secure under adaptive attack? Neither proof nor attack known Might rely on stronger properties of RSA than one-wayness We consider security under one-more inversion [BNPS01]
10
RSA under one-more inversion
A
A is successful iff xi
e = yi mod N for i=1..m
n < m
x1,…,xm
N,e
y1 ChallR Z*Nyi
ym
…
RSA-1N,e(·)
z1d mod N
z1
znd mod N
zn
…
Assumption:
this problem is hard [BNPS01]
Used before by [BNPS01] to prove security
of Chaum’s blind signatures by [BP02] to prove security of
GQ identification scheme
11
Adaptive security of RSATS-1
Theorem: RSATS-1 is transitively secure against forgery under adaptive chosen-message attack if
the one-more RSA-inversion problem is hard the underlying standard signature scheme is secure under
chosen-message attack.
12
{1,2}
δ1,2
y1y2-1
Proof idea for RSATS-1
A
Chall
F
N,e
RSA-1σ1,2
σ1,2
σ1,4
σ1,4
n1 nodes n2 nodes
n1-1 queries n2-1 queriesx2 ← δ2,3·x3
x1 ← δ1,2·x2
If A would know x3: (remember δi,j=xi·xj-1)
(n1-1)+(n2-1)+1
= n1+n2-1 queries < n1+n2 decrypted challenges
(spk,N,e)
{2,3}
δ2,3
y2y3-1
σ2,3
σ2,3
{1,3}σ1,3
σ1,3
x1,…,x6
y1
x1
σ5,6
σ4,6
yi
y1
y2
y3
y4
y5
y61
2
3
4
5
6
13
σ1,3 = ( , , δ1,3) with δ1,3 = δ1,2·δ2,3 mod N1,y1 3,y3
σ1,3
Composition of σ1,2 and σ2,3:
σ2,3
FBTS-1: Factoring based schemetpk = (spk, N); tsk = ssk
,y1
,y2
,y3
public label yi ← xi2 mod N
i,yi node certificate 1,y1
2,y2
3,y3
σ1,2
Signature σ1,2 = ( , , δ1,2) with δ1,2 = x1·x2-1 mod N1,y1 2,y2
Verification of σ1,2 :
check signatures on , check δ1,2 = y1·y2
-1 mod N
1,y1 2,y2
2
← Z*RN
x1
x2
x3
secret label xi
1
2
3
Signer assigns to each node i:
14
Security of FBTS-1
Theorem: FBTS-1 is transitively secure against forgery under adaptive chosen-message attack if
factoring N is hard the underlying standard signature scheme is secure under
chosen-message attack.
Proof idea: with probability 1/2, forgery gives second square root signatures might leak information about known root
→ information-theoretic lemma needed
15
Node certification paradigm
For each node i, the signer:
x1
x2
x3
chooses secret label xiσ2,3
σ1,3
Composition of σ1,2 and σ2,3:
σ1,3 = ( , , δ1,3)
where δ1,3 = h(δ1,2,δ2,3)
1,y1 3,y3
δi,j·δj,k mod N
δi,j·δj,k mod N
h(δi,j,δj,k)
σ1,2
Signature σ1,2 = ( , , δ1,2)
where δ1,2 = g(x1,x2)
1,y1 2,y2
xi·xj-1 mod N
xi·xj-1 mod N
g(xi,xj)
,y1
,y2
,y3
computes public label yi = f(xi)
xi2 mod NFBTS-1
xie mod NRSATS-1
f(xi)Scheme
1,y1 3,y3
2,y2
creates node certificate i,yi 1
2
3
16
Eliminating node certificates
σ2,3
σ1,3
Composition of σ1,2 and σ2,3:
σ1,3 = δ1,3 where δ1,3 = g(δ1,2, δ2,3)
σ1,2
Signature σ1,2 = δ1,2
where δ1,2 = f(x1,x2)
Let Htpk be a public hash function
RSATS-1 and FBTS-1, but not MRTS
,x1
,x2
,x3
secret label xi ← “inversion” of yi
(using trapdoor information in tsk)
y1=Htpk(1)
y2=Htpk(2)
y3=Htpk(3)
public label yi ← Htpk(i)
For each node i, signer lets:
1
2
3
17
RSATS-2 and FBTS-2
RSATS-2: Straightforward application of this idea to RSATS-1
Theorem: RSATS-2 is transitively secure against forgery under adaptive chosen-message attack if
the one-more RSA-inversion problem is hard HN: {0,1}*→ZN is a random oracle.*
*
FBTS-2: Modifications needed because public labels have to be squares mod N
Theorem: FBTS-2 is transitively secure against forgery under adaptive chosen-message attack if
factoring N is hard HN: {0,1}*→ZN[+1] is a random oracle.
18
Previously known schemes
O(path length)YesStandard signaturesTrivial
Signature sizeAd.?Security assumptionScheme
2 stand. sigs2 points in G2 points in Zq
YesDiscrete logarithmsStandard signatures
MRTS
2 stand. sigs3 points in
NoOne-wayness of RSAStandard signatures
RSATS-1Z*N
19
Scheme contributions
2 stand. sigs3 points in
NoOne-wayness of RSAStandard sigs
RSATS-1
2 stand. sigs2 points in G2 points in Zq
YesDiscrete logarithmsStandard signatures
MRTS
O(path length)YesStandard signaturesTrivial
Signature sizeAd.?Security assumptionScheme
Z*N
2 stand sigs3 points in
YesOne-more RSAStandard signatures
RSATS-1Z*N
2 stand sigs3 points in
YesFactoringStandard signatures
FBTS-1Z*N
No
No
No
RO?
No
No
1 point in YesYesOne-more RSARSATS-2 Z*N
1 point in YesYesFactoringFBTS-2 Z*N
Questions?