sequential aggregate signatures and multisignatures without random oracles
DESCRIPTION
Sequential Aggregate Signatures and Multisignatures Without Random Oracles. Steve Lu, Rafail Ostrovsky, Amit Sahai, Hovav Shacham, and Brent Waters. Secure BGP. BGP “Speakers” send path updates messages S-BGP sequence of messages + sigs. 4096 byte size limit. (M1, 1 ). - PowerPoint PPT PresentationTRANSCRIPT
1
Sequential Aggregate Signatures
and MultisignaturesWithout Random Oracles
Steve Lu, Rafail Ostrovsky, Amit Sahai, Hovav Shacham, and Brent Waters
2
Secure BGP
BGP “Speakers” send path updates messages
S-BGP sequence of messages + sigs.
4096 byte size limit
(M1,1)
(M1,1), (M2,2)
(M1,1), (M2,2), (M3,3)
4
Aggregate Signatures [BGLS03]
A single short aggregate provides nonrepudiation for many different messages under many different keys
More general than multisignatures
Applications:
X.509 certificate chains
Secure BGP route attestations
PGP web of trust
Verisign
Versign Europe
NatWest
NatWest WWW
5
BGLS Aggregate Sigs
BLS Sigs:
PK = ga SK=a
Sign(SK,M): =H(M)a
Verify(PK,M,): e(,g)=e( H(M), PK)
Secure in R.O. Model --- Deterministic Signatures
6
BGLS Aggregate Sigs
PKi = gai SKi=ai
Sign(SKi,Mi): i=H(M)i
Aggregate(1,…n): *=i=1… i
Verify(PKi,M1,…,Mn ,*): e(*,g)= i=1,…n e( H(Mi), PKi)
Verification requires n pairings
7
Difficulty w/o Random Oracles
Known efficient signatures have a random component•Strong RSA sigs[GHR’ 99, CS’99]•B-Map [BB’04,CL’04.W’05]•Tree- sigs
Difficult to aggregate • Independent signatures => Independent
randomness
8
Sequential Aggregates [LMRS’04]
Signing and Aggregation are a single operation
Inherently sequenced; not appropriate for PGP
Sign and Aggregate
9
Our Approach
Build from W’05 signatures
Signer uses same randomess from previous sig
Then re-randomizes
10
Our Aggregate Sigs
W’05 Sigs:
PK = e(g,g)a ,h, u1,…,um SK=a
Sign(SK,M): =(’,’’)=ga (h i=1,…m uMi)r , g-r
Verify(PK,M,): e(’,g) e( ’’, h i=1,…m uMi)=e(g,g)a
Secure w/o R.O.s
11
Our Aggregate Sigs
PKi = e(g,g)ai ,hi=gyi’, ui,1=gyi,1…,um, =gyi,m
SK =ai ,yi’, yi,1,…,yi,m
Agg(SKi,Mi,*=1,2):
x=DL(h j=1,…m uMi,j )
=(’,’’)=ga 2
x 1, 2
Verify(PK,M1,…Mn,*=(’,’’)):
e(’,g) e( ’’, i1…n hj j=1,…m uMi,j)=i=1…n e(g,g)ai
Know DL PK
12
Comparisons
Scheme R.O. Sequential
Size Ver. Sign
BGLS YES NO 160 bits
n+1 parings
1 exp.
LMRS-2 YES YES 1024 bits
4 mult. Ver. +1 exp.
Ours NO YES 320 bits
2 pairings
Ver. +1 exp.
Shorter than LMRS Faster Ver. than BGLS
13
Summary and Open Problems
Sequential Aggregate Signatures w/o R.O.•Use same randomness sequentially•Arguably better Performance than R.O.
schemes
Multi-Sigs and Verifiable Enc. Sigs
Shorter Public Parameters•Certificate Chains
Full Aggregate Signatures