Efficient Sequential Aggregate Signed Data

1
Efficient Sequential Aggregate Signed Data

• Gregory Neven
• IBM Zurich Research Laboratory
• work done while at K.U.Leuven

2
Digital signatures
(pk,sk) ? KeyGen()
(pk),M,s
s ? Sign(sk,M)
0/1 ? Verify(pk,M,s)
3
Digital signatures
s1 ? Sign(sk1,M1)
(pk1,,pkn),M1,,Mn, s1,, sn
s1

sn
i 0/1 ? Verify(pki,Mi,si)
A
sn ? Sign(skn,Mn)
4
Aggregate signatures (AS)
BGLS03
s1 ? Sign(sk1,M1)
(pk1,,pkn),M1,,Mn, s
s1

sn
s ? Agg(s1,,sn)
0/1 ? Verify(pk,M,s)
sn ? Sign(skn,Mn)

• Goal s lt s1 sn , preferably
  constant
• Motivation certificate chains secure routing
  protocols save bandwidth ( battery life) for
  wireless devices

5
Sequential aggregate signatures (SAS)
LMRS04
s1 ? Sign(sk1,M1)
s1
s2 ? Sign(sk2,M2,s1)

sn-1
(pk1,,pkn),M1,,Mn, s
s sn ? Sign(skn,Mn,sn-1)
0/1 ? Verify(pk,M,s)

• Goal s lt s1 sn , preferably
  constant
• Motivation certificate chains secure routing
  protocols save bandwidth ( battery life) for
  wireless devices

6
Existing (S)AS schemes
Scheme Type Based on Key model RO
BGLS AS pairings plain Y
LMRS SAS RSA plain Y
LOSSW SAS pairings KoSK N
7
Drawbacks of existing schemes

• Current drawbacks of pairings (BGLS, LOSSW)
• trust in assumptions vs. factoring, RSA
• no standardization
• implementations
• Rather inefficient verification (BGLS, LMRS)
• BGLS n pairings
• LMRS certified claw-free trapdoor permutations
• instantiation from RSA requires e gt N
• ? verification signing n full-length exps
• Weak key setup model (LOSSW)
• plain public-key vs. knowledge of secret key
  (KOSK)

8
Drawbacks of existing schemes

• Security parameter flexibility (BGLS, LMRS,
  LOSSW)
• e.g. certificate chains
• BGLS, LOSSW no flexibility whatsoever
• LMRS increasing modulus size only
• ? exact opposite of what we need
• No (S)AS schemes for currently existing
  keys/certificates!

security level
cert1 ? Sign(sk1, ID2pk2)
cert1
1
cert2 ? Sign(sk2, IDUpk, cert1)
2
cert2
s ? Sign(sk, M, cert2)
U
9
Our contributions

• Generalization of SAS to SASD
• SASD scheme with
• instantations from low-exponent RSA and factoring
• efficient signing (1 exp O(n) mult) and
• verification (O(n) mult)
• full flexibility in modulus size
• compatible with existing RSA/Rabin keys and
  certificates
• Pure SAS scheme with same properties
• Generalization of multi-signatures to
  multi-signed data (MSD)
• Non-interactive MSD scheme from RSA and factoring
• (no pairings)

10
Sequential aggregate signatures
LMRS04
s1 ? Sign(sk1,M1)
s1
s2 ? Sign(sk2,M2,s1)

sn-1
(pk1,,pkn),M1,,Mn, s
s sn ? Sign(skn,Mn,sn-1)
0/1 ? Verify(pk,M,s)

• Goal s lt s1 sn

11
Sequential aggregate signed data (SASD)
S1 ? Sign(sk1,M1)
S1
S2 ? Sign(sk2,M2,S1)

Sn-1
S
S Sn ? Sign(skn,Mn,Sn-1)
(pk,M)/ ? Verify(S)
-

• Goal minimize net overhead S M1
  Mn

12
SASD scheme intuition
Step 1. Full-domain hash with message
recovery Trapdoor permutation p, message M mµ
H

m
µ
M
G
p
-1


X
h
m
S
net overhead 160 bits
13
SASD scheme intuition
Step 1. Full-domain hash with message
recovery Trapdoor permutation p, message M mµ
H

m
µ
M
G
p

X
h
m
S
net overhead 160 bits
14
SASD scheme intuition
Step 2. Aggregating the hashes
H
m1
µ1

M1
G
-1
p
1
X1
h1
m1
S1

H
m2
µ2
M2

G
-1
p
2
X2
h2
m2
S2

net overhead 2160 320 bits
15
SASD scheme intuition
Step 2. Aggregating the hashes (intuition only
insecure!)
H
m1
µ1

M1
G
-1
p
1
X1
h1
m1
S1

H
m2
µ2
M2

G
-1
p
2
X2
h2
m2
S2

net overhead 160 bits
16
SASD scheme intuition
Step 2. Aggregating the hashes (intuition only
insecure!)
H
m1
µ1

M1
G
p
1
X1
h1
m1
S1

H
m2
µ2
M2

G
p
2
X2
h2
m2
S2

net overhead 160 bits
17
SASD scheme intuition
Step 3. Recovering any type of data (intuition
only insecure!)
H
m1
µ1


M1
G
-1
p
1
X1
h1
m1
S1


H
M2
X1
G
-1
p
2
X2
h2
M2
S2

net overhead 160 bits
18
The SASD scheme

• Step 4. Getting the details right see paper.
• Theorem. If there exists a forger that
  (t,qS,qH,qG,n,e)-breaks SASD in the random oracle
  model, then there exists an algorithm that
  (t,e)-finds a claw in ?, where

19
Comparison of SAS(D) schemes
Scheme Based on Overhead( pk) Sign Verify
BGLS pairings 160 1 E n P
LOSSW pairings 320 2 P 160n M 2 P 160n M
LMRS RSA 1024 n E n E
SASD RSA, factoring 1601184 1 E 2n M 2n M
SAS RSA, factoring 1184 1 E 2n M 2n M
P pairing E exponentiation M
multiplication n signatures in aggregate
20
Non-interactive multi-signatures (MS)
n signatures on same message M
Sign(sk1,M)
s1
(pk1,,pkn), M, s

sn
0/1 ? Verify(pk,M,s)
S ? Agg(s1,, sn)
Sign(skn,M)

• Goal s lt s1 sn

21
Non-interactive multi-signed data (MSD)
n signatures on same message M
Sign(sk1,M)
S1
S

Sn
(pk,M)/ ? Verify(S)
S ? Agg(S1,, Sn)
-
Sign(skn,M)

• Goal minimize net overhead S M

22
MSD scheme
Each partial signature contains part of M
H
m1
µ1

M
m2
m3
µ2
µ3
m4
G
G
-1
p
G
1
-1
p
2
-1
p
3
h
m1
S1
S
m2
m3
S2
S3
m4

net overhead 160 bits

• Who takes which part of M?
• Fully non-interactive pos hash(pi,M)
• Known co-signers fixed (e.g. lexicographic) order

23
Comparison of MS(D) schemes
Scheme Based on Overhead( pk) Sign Verify
Bol pairings 160 1 E 2 P n M
LOSSW pairings 320 2 E 160 M 2 P (160n) M
MSD RSA, factoring 160 1024n 160 1 E 2n M 2n M
P pairing E exponentiation M
multiplication n signatures in aggregate
24
Closing remarks

• In summary propose SAS, SASD, MSD schemes
• first based on low-exponent RSA and factoring
• outperform existing schemes in many respects
• free choice of modulus size
• work with existing RSA/Rabin keys
• Tight reduction using Katz-Wang, or next talk
• Full version ePrint Report 2008/063