Sequential Aggregate Signatures and Multisignatures Without Random Oracles

1
Sequential Aggregate Signatures and
MultisignaturesWithout Random Oracles
Steve Lu, Rafail Ostrovsky, Amit Sahai, Hovav
Shacham, and Brent Waters
2
Secure BGP

• BGP Speakers send path updates messages
• S-BGP sequence of messages sigs.
• 4096 byte size limit

(M1,?1)
(M1,?1), (M2,?2), (M3,?3)
(M1,?1), (M2,?2)
3
Aggregate Sigs BGLS03
Sign
Aggregate
4
Aggregate Signatures BGLS03

• A single short aggregate provides nonrepudiation
  for many different messages under many different
  keys
• More general than multisignatures
• Applications
• X.509 certificate chains
• Secure BGP route attestations
• PGP web of trust

5
BGLS Aggregate Sigs

• BLS Sigs
• PK ga SKa
• Sign(SK,M) ?H(M)a
• Verify(PK,M,?) e(?,g)e( H(M), PK)
• Secure in R.O. Model --- Deterministic Signatures

6
BGLS Aggregate Sigs

• PKi gai SKiai
• Sign(SKi,Mi) ?iH(Mi)ai
• Aggregate(?1,?n) ??i1n ?i
• Verify(PKi,M1,,Mn ,?) e(?,g)? i1,n
  e( H(Mi), PKi)
• Verification requires n pairings

7
Difficulty w/o Random Oracles

• Known efficient signatures have a random
  component
• Strong RSA sigsGHR 99, CS99
• B-Map BB04,CL04.W05
• Tree- sigs
• Difficult to aggregate
• Independent signatures gt Independent randomness

8
Sequential Aggregates LMRS04
Sign and Aggregate

• Signing and Aggregation are a single operation
• Inherently sequenced not appropriate for PGP

9
Our Approach

• Build from W05 signatures
• Signer uses same randomess from previous sig
• Then re-randomizes

10
Our Aggregate Sigs

• W05 Sigs
• PK e(g,g)a ,h, u1,,um SKa
• Sign(SK,M) ?(?,?)ga (h ?i1,m uMi)r
  , g-r
• Verify(PK,M,?) e(? ,g) e( ?, h ?i1,m
  uMi)e(g,g)a
• Secure w/o R.O.s

11
Our Aggregate Sigs

• PKi e(g,g)ai ,higyi, ui,1gyi,1,um, gyi,m
  
• SK ai ,yi, yi,1,,yi,m
• Agg(SKi,Mi,??1,?2)
• xDL(h ?j1,m uMi,j )
• ?(?,?)ga ?2x ?1, ?2
• Verify(PK,M1,Mn,?(?,?))
• e(? ,g) e( ?, ?i1n hj ?j1,m
  uMi,j)?i1n e(g,g)ai

Know DL PK
12
Comparisons
Shorter than LMRS
Faster Ver. than BGLS
13
Summary and Open Problems

• Sequential Aggregate Signatures w/o R.O.
• Use same randomness sequentially
• Arguably better Performance than R.O. schemes
• Multi-Sigs and Verifiable Enc. Sigs
• Shorter Public Parameters
• Certificate Chains
• Full Aggregate Signatures

14
THE END
15
Sequential Aggregate Chosen-Key Model
AggSign() oracle
Adversary

• Nontriviality
• s is a valid sequential aggregate
• challenge key pk pkj for some j
• No oracle query at pk1,,pkjM1,,Mj.