stanfordedu Craig Gen try cgentrydocomolabsusacom Ben Lynn blynncsstanfordedu Ho Shac ham hovavcsstanfordedu Abstract An aggregate signature sc heme is digital signature that supp orts aggregation Giv en signatures on distinct messages from distinct ID: 22514 Download Pdf

253K - views

Published byfaustina-dinatale

stanfordedu Craig Gen try cgentrydocomolabsusacom Ben Lynn blynncsstanfordedu Ho Shac ham hovavcsstanfordedu Abstract An aggregate signature sc heme is digital signature that supp orts aggregation Giv en signatures on distinct messages from distinct

Download Pdf

Download Pdf - The PPT/PDF document "Aggregate and eriably Encrypted Signatur..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Page 1

Aggregate and eriably Encrypted Signatures from Bilinear Maps Dan Boneh dabo@cs.stanford.edu Craig Gen try cgentry@docomolabs-usa.com Ben Lynn blynn@cs.stanford.edu Ho Shac ham hovav@cs.stanford.edu Abstract An aggregate signature sc heme is digital signature that supp orts aggregation: Giv en signatures on distinct messages from distinct users, it is ossible to aggregate all these signatures in to single short signature. This single signature (and the original messages) will con vince the erier that the users did indeed sign the original messages (i.e., user

signed message for ). In this pap er in tro duce the concept of an aggregate signature, presen securit mo dels for suc signatures, and giv sev eral applications for aggregate signatures. construct an ecien aggregate signature from recen short signature sc heme based on bilinear maps due to Boneh, Lynn, and Shac ham. Aggregate signatures are useful for reducing the size of certicate hains (b aggregating all signatures in the hain) and for reducing message size in secure routing proto cols suc as SBGP also sho that aggregate signatures giv rise to eriably encrypted

signatures. Suc signatures enable the erier to test that giv en ciphertext is the encryption of signature on giv en message eriably encrypted signatures are used in con tract-signing proto cols. Finally sho that similar ideas can used to extend the short signature sc heme to giv simple ring signatures. In tro duction Man real-w orld applications in olv signatures on man dieren messages generated man dieren users. or example, in Public Key Infrastructure (PKI) of depth eac user is giv en hain of certicates. The hain con tains signatures Certicate

Authorities (CAs) on distinct certicates. Similarly in the Secure BGP proto col (SBGP) [18 eac router receiv es list of signatures attesting to certain path of length in the net ork. router signs its wn segmen in the path and forw ards the resulting list of signatures to the next router. As result, the um er of signatures in routing messages is linear in the length of the path. Both applications ould enet from metho for compressing the list of signatures on distinct messages issued distinct parties. Sp ecically X.509 certicate hains could shortened compressing

the signatures in the hain in to single signature. An aggregate signature sc heme enables us to ac hiev precisely this yp of compression. Supp ose eac of users has public-priv ate ey pair PK SK ). User signs message to obtain signature Then there is public aggregation algorithm that tak es as input all of and outputs short compressed signature An one can aggregate the signatures. Moreo er, the aggregation can erformed incremen tally That is, signatures can aggregated in to 12 whic can then further aggregated with to obtain 123 When aggregating signatures in certicate hain, eac CA can

incremen tally aggregate its wn signature in to the hain. There is also an aggregate erication algorithm that tak es and and decides

Page 2

whether the aggregate signature is alid. In tuitiv ely the securit requiremen is that the aggregate signature is declared alid only if the aggregator who created as giv en all of Precise securit denitions are giv en in Sect. 3.2. Th us, an aggregate signature pro vides non-repudiation at once on man dieren messages man users. construct an aggregate signature sc heme based on recen short signature due to Boneh, Lynn, and

Shac ham (BLS) [6]. This signature sc heme orks in an group where the Decision Die- Hellman problem (DDH) is easy but the Computational Die-Hellman problem (CDH) is hard. refer to suc groups as gap groups [6, 26]. Recen tly there ha een um er of constructions using suc gap groups [6, 19, 8, 4]. Surprisingly general gap groups are insucien for constructing ecien aggregate signatures. Instead, our construction uses pair of groups and bilinear map where CDH is hard in Joux and Nguy en [17] sho ed that the map can used to solv DDH in and so is gap group. It is the

extra structure pro vided the bilinear map that enables us to construct an ecien aggregate signature sc heme. do not kno ho to build ecien aggregate signatures from general gap groups. Th us, our construction is an example where the bilinear map pro vides extra functionalit ey ond simple algorithm for solving DDH. Bilinear maps ere previously used for three-w Die-Hellman [16], Iden tit y-Based Encryption (IBE) [5 ], and Hierarc hical IBE [15 13]. Aggregate signatures are related to ultisignatures [20, 25, 24, 4]. In ultisignatures, set of users all sign the same message

and the result is single signature. Recen tly Micali et al. [20] dened securit mo del for ultisignatures and ga some constructions and applications. Mul- tisignatures are insucien for the applications ha in mind, suc as certicate hains and SBGP or these applications ust able to aggregate signatures on distinct messages. note that recen tly Boldyrev [4] sho ed that general gap groups are sucien for constructing ul- tisignatures from BLS signatures. As noted ab e, to obtain aggregate signatures, one needs the extra structure pro vided bilinear maps. Our

application of aggregate signatures to compressing certicate hains is related to an op en problem osed Micali and Riv est [21]: Giv en certicate hain and some sp ecial additional signatures, can in termediate links in the hain cut out? Aggregate signatures allo the com- pression of certicate hains without an additional signatures, but erier ust still are of all in termediate links in the hain. note that batc RSA [9] also pro vides some signature compression, but only for signatures pro duced single signer. As further application for aggregate signatures sho in

Sect. that certain aggregate signature sc hemes giv rise to simple eriably encrypted signatures. These signatures enable user Alice to giv Bob signature on message encrypted using third part y’s public ey and Bob to erify that the encrypted signature is alid. eriably encrypted signatures are used in optimistic con tract signing proto cols [1, 2] to enable fair exc hange. Previous constructions [1, 27] require zero kno wledge pro ofs to erify an encrypted signature. The eriably encrypted signatures in Section are short and can alidated ecien tly note that the

resulting con tract signing proto col is not abuse-free in the sense of [10]. As third application of these ideas construct in Sect. simple ring signature [28 using bilinear maps. As ab e, the construction using bilinear map is simpler and more ecien than constructions that only mak use of gap groups. Signature Sc hemes Based on Co-Gap Die-Hellman rst review few concepts related to bilinear maps and Gap Die-Hellman signatures [6]. Throughout the pap er use the follo wing notation:

Page 3

1. and are (m ultiplicativ e) cyclic groups of prime order 2. is

generator of and is generator of 3. is computable isomorphism from to with and 4. is computable bilinear map as describ ed elo w. The isomorphism is mostly needed for the pro ofs of securit eep the discussion general, simply assume that exists and is ecien tly computable. When are subgroups of the group of oin ts of an elliptic curv the trace map on the curv can used as this isomorphism (w assume and )). Throughout the pap er, consider bilinear maps where all groups are ultiplicativ and of prime order One could set Ho ev er, allo for the more general case where so that our

constructions can mak use of certain families of non- sup ersingular elliptic curv es dened Miy ji et al. [22]. These curv es giv rise to ery short signatures [6]. This will lead in turn to short aggregate signatures, ring signatures, etc. handle the case dene the co-CDH and co-DDH problems [6 ]. When these problems reduce to the standard CDH and DDH problems. Hence, for the remainder of the pap er, although handle arbitrary for simplicit the reader ma assume and the iden tit map. With this setup obtain natural generalizations of the CDH and DDH problems: Computational

Co-Die-Hellman. Giv en and compute Decision Co-Die-Hellman. Giv en and h; output yes if and no otherwise. When the answ er is yes sa that h; is co-Die-Hellman tuple. When and these problems reduce to the standard CDH and DDH. Next dene co-GDH gap groups to group pairs and on whic co-DDH is easy but co-CDH is hard. Denition 2.1. Tw groups are decision group pair for co-Die-Hellman if the group action on the group action on and the map from to can computed in one time unit, and Decision co-Die-Hellman on can solv ed in one time unit.

Denition 2.2. The adv an tage of an algorithm in solving the Computational co-Die-Hellman problem in groups and is Adv co-CDH def Pr The probabilit is tak en er the hoice of and ’s coin tosses. An algorithm t; )-breaks Computational co-Die-Hellman on and if runs in time at most and Adv co-CDH is at least Tw Groups are t; )-co-GDH group pair if they are decision group pair for co-Die-Hellman and no algorithm t; )-breaks Computational co-Die-Hellman on them. 2.1 Bilinear Maps Let and groups as ab e, with an additional group suc that bilinear map is map

with the follo wing prop erties: 1. Bilinear: for all and a; u; ab

Page 4

2. Non-degenerate: 1. These prop erties imply more: for an ); and for an u; ). Denition 2.3. Tw groups are bilinear group pair if the group action on either can computed in one time unit, the map from to can computed in one time unit, bilinear map exists, and is computable in one time unit. Denition 2.4. Tw groups are t; )-bilinear group pair for co-Die-Hellman if they are bilinear group pair and no algorithm t; )-breaks Computational co-Die-Hellman on them. Joux and Nguy en [17]

sho ed that an ecien tly-computable bilinear map pro vides an algo- rithm for solving the decision co-Die-Hellman problem. or tuple h; ha mo h; Consequen tly if groups are t; )-bilinear group pair for co-Die-Hellman, then they are also t= )-co-GDH group pair. The con erse is probably not true. 2.2 The Co-GDH Signature Sc heme review the signature sc heme of [6 ], whic can based on an gap group. It comprises three algorithms, KeyGen Sign and erify and uses full-domain hash function view ed as random oracle [3]. Key Generation. Pic random and compute The public ey is The

secret ey is Signing. Giv en secret ey and message compute ), where and The signature is erication. Giv en public ey message and signature compute and erify that h; is alid co-Die-Hellman tuple. co-GDH signature is single elemen of On certain elliptic curv es these signatures are ery short: they are half the size of DSA signatures with similar securit Theorem of [6 pro es the existen tial unforgeabilit of the sc heme under hosen message attac [14] in the random oracle mo del assuming is co-gap group pair for Die-Hellman. Aggregate Signatures dene aggregate

signatures and describ an aggregate signature sc heme based on co-GDH signatures. Unlik the co-GDH sc heme, aggregate signatures require the existence of bilinear map. dene securit mo dels and pro vide pro ofs of securit for aggregate signatures. Consider set of users. Eac user has signing eypair PK SK ). wish to aggregate the signatures of some subset Eac user pro duces signature on message of her hoice. These signatures are then com bined in to single aggregate an aggregating part The aggregating part who can dieren from and un trusted the users in has access to the users

public eys, to the messages, and to the signatures on them, but not

Page 5

to an priv ate eys. The result of this aggregation is an aggregate signature whose length is the same as that of an of the individual signatures. This aggregate has the prop ert that erier giv en along with the iden tities of the parties in olv ed and their resp ectiv messages is con vinced that eac user signed her resp ectiv message. 3.1 Bilinear Aggregate Signatures describ bilinear aggregate signature sc heme based on the co-GDH sc heme presen ted ab e. Individual signatures in the aggregate

signature sc heme are created and eried precisely as are signatures in the co-GDH sc heme (Sect. 2.2). Aggregate erication mak es use of bilinear map on and The aggregate signature sc heme allo ws the creation of signatures on arbitrary distinct messages An individual signature is an elemen of The base groups and their resp ectiv generators and the computable isomorphism from to and the bilinear map with target group are system parameters. The sc heme comprises v algorithms: KeyGen Sign erify ggr gate and ggr gateV erify The rst three are as in ordinary

signature sc hemes; the last pro vide the aggregation capabilit The sc heme emplo ys full-domain hash function view ed as random oracle. Key Generation. or particular user, pic random and compute The user’s public ey is The user’s secret ey is Signing. or particular user, giv en the secret ey and message compute ), where and The signature is erication. Giv en user’s public ey message and signature compute ); accept if h; holds. Aggregation. or the aggregating subset of users assign to eac user an index ranging from to Eac user pro vides signature on message of his hoice. The messages

ust all distinct. Compute =1 The aggregate signature is Aggregate erication. are giv en an aggregate signature for an aggregating subset of users indexed as efore, and are giv en the original messages and public eys for all users erify the aggregate signature 1. ensure that the messages are all distinct, and reject otherwise; and 2. compute for and accept if =1 holds. bilinear aggregate signature, lik co-GDH signature, is single elemen of Note that aggregation can done incremen tally The in tuition ehind bilinear aggregate signatures is as follo ws. Eac user has secret ey and public ey

User ’s signature, if correctly formed, is where is the hash of the user’s hosen message, The aggregate signature is th us Using the prop erties of the bilinear map, the left-hand side of the erication equation expands: whic is the righ t-hand side, as required. It remains to pro the securit of the sc heme.

Page 6

3.2 Aggregate Signature Securit Informally the securit of aggregate signature sc hemes is equiv alen to the nonexistence of an adv er- sary capable, within the connes of certain game, of existen tially forging an aggregate signature. Existen tial forgery

here means that the adv ersary attempts to forge an aggregate signature, on messages of his hoice, some set of users. formalize this in tuition as the aggregate hosen-k ey securit mo del. In this mo del, the adv ersary is giv en single public ey His goal is the existen tial forgery of an aggregate signature. giv the adv ersary er to ho ose all public eys except the hallenge public ey The adv ersary is also giv en access to signing oracle on the hallenge ey His adv an tage, Adv AggSig is dened to his probabilit of success in the follo wing game. Setup. The aggregate forger is pro vided

with public ey PK generated at random. Queries. Pro ceeding adaptiv ely requests signatures with PK on messages of his hoice. Resp onse. Finally outputs additional public eys PK PK Here is at most game parameter. These eys, along with the initial ey PK will included in ’s forged aggregate. also outputs messages and, nally an aggregate signature the users, eac on his corresp onding message. The forger wins if the aggregate signature is alid aggregate on messages under eys PK PK and is non trivial, i.e., did not request signature on under PK The probabilit is er the coin tosses of the

ey-generation algorithm and of Denition 3.1. An aggregate forger t; )-breaks an -user aggregate signature sc heme in the aggregate hosen-k ey mo del if: runs in time at most mak es at most queries to the hash function and at most queries to the signing oracle; Adv AggSig is at least and the forged aggregate signature is at most users. An aggregate signature sc heme is t; )-secure against existen tial forgery in the aggregate hosen-k ey mo del if no forger t; )-breaks it. oten tial attac on aggregate signatures. The adv ersary’s abilit in the hosen-k ey mo del to generate eys suggests

the follo wing attac k, previously considered in the con text of ultisigna- tures [20, 4]. Alice publishes her public ey Bob generates priv ate ey and public ey but publishes as his public ey =v alue whose discrete log he do es not kno w. Then eries as an aggregate signature on oth Alice and Bob. Note that in this forgery Alice and Bob oth sign the same message One coun termeasure is to require the adv ersary to pro kno wledge of the discrete logarithms (to base of his published public eys. or example, Boldyrev a, in her ultisignature sc heme [4], requires, in eect, that the

adv ersary disclose the corresp onding priv ate eys Micali et al. [20 discuss series of more sophisticated approac hes based on zero-kno wledge pro ofs, again with the eect that the adv ersary is constrained in his ey selection. These defenses apply equally ell to our aggregate signature sc heme. or aggregate signatures, though, there is simpler defense. simple defense for aggregate signatures. In the con text of aggregate signatures can defend against the attac ab simply requiring that an aggregate signature is alid only if it is an aggregation of signatures on distinct messages. This

restriction, co died in Step of ggr gateV erify suces to pro the securit of the bilinear aggregate signature sc heme in the hosen-k ey mo del. There is no need for zero-kno wledge pro ofs or the disclosure of priv ate eys.

Page 7

The requiremen that all messages in an aggregate distinct is naturally satised for the applications to certicate hains and SBGP ha in mind. Ev en in more general en vironmen ts it is easy to ensure that all messages are distinct: The signer simply prep ends her public ey to ev ery message she signs prior to the application of

the hash function The implicit prex need not transmitted with the signature, so signature and message length is unaected. The next theorem sho ws that this simple constrain is sucien for pro ving securit in the hosen-k ey mo del. Theorem 3.2. et -biline ar gr oup air for o-Die-Hel lman, with ach gr oup of or der with esp ctive gener ators and with an isomorphism omputable fr om to and with biline ar map Then the biline ar aggr gate signatur scheme on is t; -se cur against existential for gery in the aggr gate chosen-key mo del for al and satisfying and 4) 1)

wher is the ase of natur al lo garithms, and exp onentiation and inversion on take time Pr of. Supp ose is forger algorithm that t; )-breaks the signature sc heme. sho ho to construct -time algorithm that solv es co-CDH in with probabilit at least This will con tradict the fact that are )-co-GDH group pair. Let generator of Algorithm is giv en and where Its goal is to output Algorithm sim ulates the hallenger and in teracts with forger as follo ws. Setup. Algorithm starts giving the generator and the public ey where is random in Hash Queries. an time algorithm can query the random oracle resp

ond to these queries, main tains list of tuples as explained elo w. refer to this list as the -list. The list is initially empt When queries the oracle at oin algorithm resp onds as follo ws: 1. If the query already app ears on the -list in some tuple b; then algorithm resp onds with 2. Otherwise, generates random coin so that Pr[ 0] ). 3. Algorithm pic ks random If holds, computes If holds, computes 4. Algorithm adds the tuple b; to the -list and resp onds to as Note that, either is uniform in and is indep enden of ’s curren view as required. Signature queries. Algorithm requests signature on

some message under the hallenge ey Algorithm resp onds to this query as follo ws: 1. Algorithm runs the ab algorithm for resp onding to -queries on obtaining the corresp onding tuple b; on the -list. If holds then rep orts failure and terminates. 2. kno that holds and hence Let Observ that and therefore is alid signature on under the public ey Algorithm giv es to algorithm

Page 8

Output. Finally halts. It either concedes failure, in whic case so do es or it returns alue (where ), public eys messages and forged aggregate signature The messages ust all distinct, and ust not ha

requested signature on Algorithm runs its hash algorithm at eac obtaining the corresp onding tuples on the -list. Algorithm no pro ceeds only if and, for 1; otherwise declares failure and halts. Since 0, it follo ws that or 1, since 1, it follo ws that The aggregate signature ust satisfy the aggregate erication equation, =1 or eac 1, sets Then, for 1, So is alid signature on (whose hash is the ey whose public comp onen is No constructs alue =2 Then =2 =1 =2 Th us is alid co-GDH signature ey on message whose hash is Then calculates and outputs the required as This completes the

description of algorithm It remains to sho that solv es the giv en instance of the co-CDH problem in with probabilit at least do so, analyze the three ev en ts needed for to succeed: do es not ab ort as result of an of ’s signature queries. generates alid and non trivial aggregate signature forgery ). Ev en ccurs, and, in addition, 0, and, for 1, where for eac is the -comp onen of the tuple con taining on the -list. succeeds if all of these ev en ts happ en. The probabilit Pr[ decomp oses as Pr[ Pr[ Pr[ Pr (1) The follo wing claims giv lo er ound for eac of these terms. Claim 3.3. The pr ob

ability that algorithm do es not ab ort as esult of ’s aggr gate signatur queries is at le ast (1 )) Henc e, Pr (1 )) Pr of. Without loss of generalit assume that do es not ask for the signature of the same message wice. pro induction that after mak es signature queries the probabilit that do es not ab ort is at least (1 )) The claim is trivially true for 0. Let ’s ’th signature query and let the corresp onding tuple on the -list. Then, prior to ’s issuing the query the bit is indep enden of ’s view the only alue that could giv en to that dep ends on is ), but the distribution of is the same

whether or 1. Therefore, the probabilit that this query causes to ab ort is at most ). Using the inductiv yp othesis and the indep endence of the probabilit that do es not ab ort after this query is at least (1 )) This pro es the inductiv claim. Since mak es at most signature queries the probabilit that do es not ab ort as result of all signature queries is at least (1 ))

Page 9

Claim 3.4. If algorithm do es not ab ort as esult of ’s queries then algorithm ’s view is identic al to its view in the al attack. Henc e, Pr[ Pr of. The public ey giv en to is from the same distribution as

public eys pro duced algo- rithm KeyGen Resp onses to hash queries are as in the real attac since eac resp onse is uniformly and indep enden tly distributed in Since did not ab ort as result of ’s signature queries, all its resp onses to those queries are alid. Therefore will pro duce alid and non trivial aggregate signature forgery with probabilit at least Hence Pr[ Claim 3.5. The pr ob ability that algorithm do es not ab ort after outputs valid and nontrivial for gery is at le ast (1 )) Henc e, Pr (1 )) Pr of. Ev en ts and ha ccurred, and has generated some alid and non trivial forgery ). or

eac let the tuple corresp onding to on the -list. Algorithm will ab ort unless generates forgery suc that and, for 1, 1. Since all the messages are distinct, the alues are all indep enden of eac other; as efore, is indep enden of for eac Since its forgery is non trivial, cannot ha ask ed for signature on under ey It can th us ha no information ab out the alue of in the forged aggregate, ccurs with probabilit or eac 1, either ask ed for signature under ey on in whic case with probabilit 1, or it didn’t, and with probabilit ). Regardless, the probabilit that for all is at least (1 )) (1 ))

Therefore Pr (1 )) ), as required. complete the pro of of Theorem 3.2, use the ounds from the claims ab in equation (1). Algorithm pro duces the correct answ er with probabilit at least =e as required. Algorithm ’s running time is the same as ’s running time plus the time is tak es to resp ond to hash queries and signature queries, and the time to transform ’s nal forgery in to the co-CDH solution. Eac query requires an exp onen tiation in The output phase requires at most additional hash computations, in ersions, exp onen tiations, and ultiplications. assume that exp onen

tiation and in ersion in tak time Hence, the total running time is at most 4) as required. This completes the pro of of Theorem 3.2. Aggregate erication time. Let an aggregate of the signatures The time to erify the aggregate signature is linear in In the sp ecial case when all signatures are issued the same public ey aggregate erication is faster. One need only erify that =1 )) holds, where are the signed messages.

Page 10

eriably Encrypted Signatures Next, sho an application of aggregate signatures to eriably encrypted signatures. eriably

encrypted signatures are used in applications suc as online con tract signing [1, 2]. Supp ose Alice an ts to sho Bob that she has signed message, but do es not an Bob to ossess her signature of that message. (Alice will giv her signature to Bob only when certain ev en has ccurred, e.g., Bob has giv en Alice his signature on the same message.) Alice can ac hiev this encrypting her signature using the public ey of trusted third part and sending this to Bob along with pro of that she has giv en him alid encryption of her signature. Bob can erify that Alice has signed the message, but cannot

deduce an information ab out her signature. Later in the proto col, if Alice is unable or un willing to rev eal her signature, Bob can ask the third part to rev eal Alice’s signature. note that the resulting con tract signing proto col is not abuse-free in the sense of [10]. sho that arian of the bilinear aggregate signature sc heme allo ws the creation of ery ecien eriably encrypted signatures. 4.1 eriably Encrypted Signature Securit eriably encrypted signature sc heme comprises sev en algorithms. Three, KeyGen Sign and erify are analogous to those in ordinary

signature sc hemes. The others, djKeyGen VESigCr ate VESigV erify and djudic ate pro vide the eriably encrypted signature capabilit The algorithms are describ ed elo w. refer to the trusted third part as the adjudicator. Key Generation, Signing, erication. As in standard signature sc hemes. Adjudicator Key Generate public-priv ate ey pair APK ASK for the adjudicator. VESig Creation. Giv en secret ey SK message and an adjudicator’s public ey APK compute (probabilistically) eriably encrypted signature on VESig erication. Giv en public ey PK message an

adjudicator’s public ey APK and eriably encrypted signature erify that is alid eriably encrypted signature on under ey PK Adjudication. Giv en an adjudicator’s eypair APK ASK ), certied public ey PK and eriably encrypted signature on some message extract and output an ordinary signature on under PK Besides the ordinary notions of signature securit in the signature comp onen t, require three securit prop erties of eriably encrypted signatures: alidit unforgeabilit and opacit describ these prop erties in the single user setting. alidit requires that

eriably encrypted signatures erify and that adjudicated eriably encrypted signatures erify as ordinary signatures, i.e., that VESigV erify VESigCr ate )) and erify djudic ate VESigCr ate )) hold for all and for all prop erly-generated eypairs and adjudicator eypairs. (The eys pro vided to the algorithms are here omitted for brevit .) Unforgeabilit requires that it dicult to forge alid eriably encrypted signature. The adv an tage in existen tially forging eriably encrypted signature of an algorithm giv en access to eriably-encrypted-signature

creation oracle and an adjudication oracle along with 10

Page 11

hash oracle, is Adv VSigF def Pr VESigV erify PK APK valid PK SK KeyGen APK ASK djKeyGen ;A PK APK The probabilit is tak en er the coin tosses of the ey-generation algorithms, of the oracles, and of the forger. The forger is additionally constrained in that its forgery on ust non trivial: It ust not previously ha queried either oracle at Note that an ordinary signing oracle is not pro vided; it can sim ulated call to follo ed call to Denition 4.1. eriably encrypted signature forger t; )-forges

eriably en- crypted signature if: Algorithm runs in time at most mak es at most queries to the hash function, at most queries to the eriably-encrypted-signature creation oracle at most queries to the adjudication oracle and Adv VSigF is at least eriably encrypted signature sc heme is t; )-secure against existen tial forgery if no forger t; )-breaks it. Opacit requires that it dicult, giv en eriably encrypted signature, to extract an ordinary signature on the same message. The adv an tage in extracting eriably encrypted signature of an algorithm

giv en access to eriably-encrypted-signature creation oracle and an adjudication oracle along with hash oracle, is Adv VSigE def Pr erify PK valid PK SK KeyGen APK ASK djKeyGen ;A PK APK The probabilit is tak en er the coin tosses of the ey-generation algorithms, of the oracles, and of the forger. The extraction ust non trivial: the adv ersary ust not ha queried the adjudication oracle at (It is allo ed, ho ev er, to query at .) eriably encrypted signature extraction is th us no more dicult than forgery in the underlying signature sc heme. Denition 4.2. An

algorithm t; )-extracts eriably encrypted signature if runs in time at most mak es at most queries to the hash function, at most queries to the eriably-encrypted-signature creation oracle at most queries to the adjudication oracle, and Adv VSigE is at least eriably encrypted signature sc heme is t; )-secure against extraction if no algorithm t; )-extracts it. 4.2 Aggregate Extraction Our eriably encrypted signature sc heme dep ends on the assumption that giv en an aggregate signature of signatures it is dicult to extract the individual signatures.

Consider the bilinear aggregate signature sc heme on group pair ). osit that it is dicult to reco er the individual signatures giv en their aggregate the public eys, and the message hashes. In fact, osit that it is dicult to reco er an aggregate of an prop er subset of the signatures. This term the -elemen aggregate extraction problem. 11

Page 12

formalize this assumption as follo ws. Let bilinear group pair for co-Die- Hellman, eac of order with resp ectiv generators and computable isomorphism suc that ), and computable bilinear map Consider -user aggregate

in this setting. Eac user has priv ate ey and public ey Eac user selects distinct message whose hash is and creates signature Finally the signatures are aggregated, yielding Let the set Eac public ey can expressed as eac hash as eac signature as and the aggregate signature as where The adv an tage of an algorithm in extracting subaggregate from -elemen aggregate is Adv -Extr def Pr The probabilit is tak en er the hoices of all and and the coin tosses of Denition 4.3. An algorithm t; )-extracts subaggregate from an -elemen bilinear ag- gregate signature if runs in time at most and Adv

-Extr is at least An instan tiation of the bilinear aggregate signature sc heme is t; )-secure against aggregate extraction if no algorithm t; )-extracts it. will particularly concerned with the case 2. In this case, the aggregate extraction problem reduces to this one: giv en and au bv calculate au (If the extractor outputs bv instead, ma reco er au as au bv =g bv .) 4.3 eriably Encrypted Signatures via Aggregation motiv ate our construction for eriably encrypted signatures considering aggregate signa- tures as launc hing oin t. An aggregate signature sc heme can giv rise to

eriably encrypted signature sc heme if it is dicult to extract individual signatures from an aggregate, but easy to forge existen tially under the adjudicator’s ey Consider the follo wing: 1. Alice wishes to create eriably encrypted signature, whic Bob will erify; Carol is the ad- judicator. Alice and Carol’s eys are oth generated under the underlying signature sc heme’s ey-generation algorithm. 2. Alice creates signature on under her public ey She forges signature on some random message under Carol’s public ey She then com bines and obtaining an aggregate The

eriably encrypted signature is the pair ). 3. Bob alidates Alice’s eriably encrypted signature on hec king that is alid aggregate signature Alice on and Carol on 4. Carol adjudicates, giv en eriably encrypted signature on Alice, computing signature on under her ey and remo ving from the aggregate; what remains is Alice’s ordinary signature In the bilinear aggregate signature sc heme, it is dicult to extract individual signatures, under the aggregate extraction assumption. Moreo er, existen tial forgery is easy when the random oracle hash function is set aside:

Giv en public ey and is alid signature on message whose hash is Belo w, formalize and pro the securit of the eriably encrypted signature sc heme created in this 12

Page 13

4.4 The Bilinear eriably-Encrypted Signature Sc heme The bilinear eriably encrypted signature sc heme is built on the bilinear aggregate signature sc heme of the previous section. It shares the ey-generation algorithm with the underlying aggregate sc heme. Moreo er, the adjudicator’s public and priv ate information is simply an aggregate-signature eypair. The sc heme comprises the sev en

algorithms describ ed elo w: Key Generation. KeyGen and djKeyGen are the same as KeyGen in the co-GDH signature sc heme. Signing, erication. Sign and erify are the same as in the co-GDH signature sc heme. VESig Creation. Giv en secret ey message and an adjudicator’s public ey compute ), where and Select at random from and set and Aggregate and as The eriably encrypted signature is the pair ). (This can also view ed as ElGamal encryption of under the adjudicator’s ey .) VESig erication. Giv en public ey message an adjudicator’s public ey and eriably encrypted

signature ), set ); accept if h; ; holds. Adjudication. Giv en an adjudicator’s public ey and corresp onding priv ate ey certied public ey and eriably encrypted signature on some message ensure that the eriably encrypted signature is alid; then output = If the adjudicator do es not rst alidate purp orted eriably encrypted signature, malicious user can tric him in to signing arbitrary messages under his adjudication ey Similarly the adjudicator should only adjudicate for certied public eys assume that the CA, in issuing certicate

on eries that the user kno ws the priv ate ey for It is easy to see that alidit holds. eriably encrypted signature correctly alidates under VESigV erify whic is simply the aggregate signature erication algorithm. Moreo er, for an alid eriably encrypted signature, = ; h; ; ; h; ), so the output of djudic ate is alid signature on message under the ey The next theorems pro the unforgeabilit and opacit of the sc heme. Theorem 4.4. et and cyclic gr oups of prime or der with esp ctive gener ators and with omputable biline ar map Supp ose that

the o-GDH signatur scheme is -se cur against existential for gery on Then the biline ar veriably encrypte signatur scheme is t; -se cur against existential for gery on for al and al satisfying 1) wher exp onentiation and inversion on take time Pr of. Giv en eriably-encrypted-signature forger algorithm construct forger algorithm for the underlying co-GDH signature sc heme. assume that is ell-b eha ed in the sense that it alw ys requests the hash of message efore it requests eriably encrypted signature or an adjudication in olving and that it nev er requests adjudication

on message on whic it had not previously ask ed for eriably encrypted signature. It is trivial to mo dify an forger algorithm to ha the rst prop ert The second prop ert is reasonable since the input to the adjudication oracle in this case ould non trivial eriably encrypted signature forgery; can mo died simply to output it and halt. 13

Page 14

The co-GDH forger is giv en public ey and has access to signing oracle for and hash oracle. It sim ulates the hallenger and runs in teracts with as follo ws. Setup. Algorithm generates ey KeyGen whic serv es as

the adjudicator’s ey No runs pro viding as input the public eys and Hash Queries. Algorithm requests hash on some string Algorithm mak es query on to its wn hash oracle, receiving some alue with whic it resp onds to ’s query erSig Creation Queries. Algorithm requests signature on some string (It will ha already queried the hash oracle at .) queries its signing oracle (for at obtaining It then selects at random from and returns to the pair ). Adjudication Queries. Algorithm requests adjudication for ), eriably encrypted sig- nature on message under ey and adjudicator ey Algorithm hec ks

that the eriably encrypted signature is alid, then returns = Output. Finally halts, either declaring failure, in whic case to o, declares failure and halts, or pro viding alid and non trivial eriably encrypted signature on message sets whic h, the alidit prop ert is alid co-GDH signature on under ey That the forgery is non trivial means that did not query the eriably encrypted signature oracle at from whic it follo ws that did not query its signing oracle at Th us is non trivial co-GDH forgery; algorithm outputs it and halts. It remains only to analyze the success

probabilit and running time of Algorithm succeeds whenev er do es, that is, with probabilit at least Algorithm ’s running time is the same as ’s running time plus the time it tak es to resp ond to hash queries, eriably-encrypted signature queries, and adjudication queries, and the time to transform ’s nal eriably-encrypted signature forgery in to co-GDH signature forgery Hash queries imp ose no erhead. Eac eriably-encrypted signature query requires to erform exp onen tiations in Eac adjudication query requires to erform an exp onen tiation and an in ersion in

The output phase also requires an exp onen tiation and an in ersion. assume that exp onen tiation and in ersion in tak time Hence, the total running time is at most 1). queries its hash oracle whenev er queries its hash oracle, and its signing oracle whenev er queries its eriably encrypted signature oracle. Com bining all this, see that if t; )-forges bilinear eriably encrypted signa- ture on ), then 1) )-breaks the co-GDH signature sc heme on ). Con ersely if the co-GDH signature sc heme is )-secure, then the bilinear er- iably encrypted signature sc heme is 1)

)-secure against existen tial forgery Theorem 4.5. et and cyclic gr oups of prime or der with esp ctive gener ators and with omputable isomorphism such that and omputable biline ar map Supp ose that the biline ar aggr gate signatur scheme on is -se cur against aggr gate extr action. Then the biline ar veriably encrypte signatur scheme is t; -se cur against extr action on for al and satisfying 1) and 3) 14

Page 15

wher is the ase of natur al lo garithms, and exp onentiation and inversion on take time Pr of. Giv en eriably-encrypted-signature extractor algorithm

construct an aggregate ex- tractor algorithm The co-GDH forger is giv en alues and in and in It runs answ ering its oracle calls, and uses ’s eriably encrypted signature extraction to cal- culate the answ er to its wn extraction hallenge. Let generator of and of suc that Algorithm is giv en and Its goal is to output Algorithm sim ulates the hallenger and in teracts with eriably-encrypted-signature extractor as follo ws. Setup. Algorithm sets the signer’s public ey and the adjudicator’s public ey It giv es and to Hash Queries. an time algorithm can query the random oracle resp

ond to these queries, main tains list of tuples as explained elo w. refer to this list as the -list. The list is initially empt When queries the oracle at oin algorithm resp onds as follo ws: 1. If the query already app ears on the -list in some tuple b; then algorithm resp onds with 2. Otherwise, generates random coin so that Pr[ 0] 1). 3. Algorithm pic ks random If holds, computes If holds, computes 4. Algorithm adds the tuple b; to the -list and resp onds to as erSig Creation Queries. requests eriably-encrypted signature on some string under hallenge ey and adjudicator ey Algorithm

resp onds to this query as follo ws: 1. Algorithm runs the ab algorithm for resp onding to -queries on obtaining the corresp onding tuple b; on the -list. 2. selects at random from If equals 0, computes and returns ). If equals 1, computes and returns ). It is easy to erify that ; is in either case correct eriably encrypted signature on the message with hash Adjudication Queries. Algorithm requests adjudication for ), eriably encrypted sig- nature on message under ey and adjudicator ey Algorithm resp onds to this query as follo ws: 1. Algorithm runs the ab algorithm for

resp onding to -queries on obtaining the corresp onding tuple b; on the -list. 2. Algorithm hec ks that the eriably encrypted signature is alid. If it is not, returns placeholder alue. 3. If equals 0, declares failure and halts. Otherwise, it computes and returns It is easy to erify that is the correct co-GDH signature under ey on the message with hash 15

Page 16

Output. Finally halts. It either concedes failure, in whic case so do es or returns non trivial extracted signature on some message or the extraction to non trivial, ust not ha ask ed for adjudication on

eriably encrypted signature of Algorithm runs its hash algorithm at obtaining the corresp onding tuples on the -list. no pro ceeds only if 0; otherwise it declares failure and halts. Since 0, it follo ws that The extracted signature ust satisfy the co-GDH erication equation, ). sets = Then Where in the last equalit substitute Th us is alid co-Die- Hellman tuple, so equals the answ er to the aggregate extraction problem; algorithm outputs it and halts. This completes the description of algorithm It remains to sho that solv es the giv en instance of the aggregate

extraction problem on with probabilit at least do so, analyze the three ev en ts needed for to succeed: do es not ab ort as result of an of ’s adjudication queries. generates alid and non trivial eriably-encrypted signature extraction ). Ev en ccurs, and holds, where is the -comp onen of the tuple con taining on the -list. succeeds if all of these ev en ts happ en. The probabilit Pr decomp oses as Pr[ Pr[ Pr[ Pr (2) The follo wing claims giv lo er ound for eac of these terms. Claim 4.6. The pr ob ability that algorithm do es not ab ort as esult of ’s adjudic ation queries is at le ast

=e Henc e, Pr[ =e Pr of. Without loss of generalit assume that do es not ask for adjudication of the same message wice. pro induction that after mak es signature queries the probabilit that do es not ab ort is at least (1 1)) The claim is trivially true for 0. Let ’s ’th adjudication query for eriably encrypted signature ), on message under the hallenge ey and let the corresp onding tuple on the -list. Then prior to issuing the query the bit is indep enden of ’s view the only alues that could giv en to that dep end on are and eriably-encrypted signatures on but the

distributions on these alues are the same whether or 1. Therefore, the probabilit that this query causes to ab ort is at most 1). Using the inductiv yp othesis and the indep endence of the probabilit that do es not ab ort after this query is at least (1 1)) This pro es the inductiv claim. Since mak es at most adjudication queries the probabilit that do es not ab ort as result of all signature queries is at least (1 1)) =e Claim 4.7. If algorithm do es not ab ort as esult of ’s adjudic ation queries then ’s view is identic al to its view in the al attack. Henc e, Pr[ 16

Page 17

Pr of.

The hallenge public ey giv en to is from the same distribution as public eys pro duced KeyGen the adjudicator’s public ey giv en to is from the same distribution as the adju- dicator eys pro duces djKeyGen Resp onses to hash queries are as in the real attac since eac resp onse is uniformly and indep enden tly distributed in Resp onses to eriably-encrypted signature queries are also as in the real attac k: They are alid, and their comp onen ts are uni- formly and indep enden tly distributed in Since did not ab ort as result of ’s adjudication queries, all its resp onses to those queries

are alid. Therefore will pro duce alid and non trivial eriably-encrypted signature extraction with probabilit at least Hence Pr Claim 4.8. The pr ob ability that algorithm do es not ab ort after outputs valid and nontrivial veriably-encrypte signatur extr action is at le ast 1) Henc e, Pr[ 1) Pr of. Giv en that ev en ts and happ ened, algorithm will ab ort only if generates forgery for whic the tuple on the -list has 1. Since its extraction is non trivial, could not ha requested adjudication on an eriably encrypted signature on and ust indep enden of ’s curren view.

Therefore Pr[ 1) as required. Using the ounds from the claims ab in equation (2) sho ws that pro duces the correct answ er with probabilit at least =e 1) as required. Algorithm ’s running time is the same as ’s running time plus the time is tak es to resp ond to ’s oracle queries and to transform ’s eriably-encrypted signature extraction in to an aggregate extraction. Eac eriably-encrypted signature query eac adjudication query and the output phase requires to run its -algorithm. It ust therefore run this algorithm 1) times. Eac run requires an exp onen tiation in

Algorithm ust run its eriably-encrypted signing algorithm times, and eac run requires at most three exp onen tiation in Finally ’s output phase requires at most one exp onen tiation and one in ersion in assume that exp onen tiation and in ersion in tak time Hence, the total running time is at most 3) as required. 4.5 Observ ations on eriably Encrypted Signatures note some extensions of the eriably encrypted signature sc heme discussed ab e. Some of these rely for securit on the -elemen aggregate extraction assumption with 2. An one can con ert an ordinary unencrypted

signature to eriably encrypted signature. The same applies to unencrypted aggregate signatures. An adjudicator’s priv ate ey can shared amongst parties using -of- threshold cryp- tograph [12, 11], so that parties are needed to adjudicate eriably encrypted signature. message-signature pair in the co-GDH signature sc heme is of the same form as an iden tit y{ priv ate-k ey pair in the Boneh-F ranklin Iden tit y-Based Encryption Sc heme [5]. Th us the eri- ably encrypted signature sc heme can oten tially mo died to yield eriably encrypted encryption sc heme

for IBE priv ate eys. eriably encrypted priv ate eys ha man appli- cations [27]. 17

Page 18

Ring Signatures Riv est, Shamir and auman dene ring signature sc hemes and construct some using RSA and Rabin cryptosystems [28]. Naor denes the closely-related notion of deniable ring authen tication and prop oses suc sc heme that relies only on the existence of strong encryption function [23]. shall see that co-GDH signatures giv rise to natural ring signatures. 5.1 Ring Signatures Consider set of users. Eac user has signing eypair PK SK ). ring signature on is

signature that is constructed using all the public eys of the users in and single priv ate ey of an user in ring signature has the prop ert that erier is con vinced that the signature as pro duced using one of the priv ate eys of but is not able to determine whic one. This prop ert is called signer-ambiguity [28]. Applications for ring signatures include authen ticated (y et repudiable) comm unication and leaking secrets [28]. Zhang and Kim [29] devised bilinear ring signature in an iden tit y-based setting. Our sc heme diers from theirs, as our goal is to extend co-GDH

signatures to obtain ecien ring signatures; the system parameters and ey generation algorithm in our system are iden tical to those of the co-GDH sc heme. 5.2 Bilinear Ring Signatures The ring signature sc heme comprises three algorithms: KeyGen ingSign and ingV erify Recall are generators of groups resp ectiv ely and is bilinear map, and computable isomorphism exists, with Again use full-domain hash function The securit analysis views as random oracle. Key Generation. or particular user, pic random and compute The user’s public ey is The user’s secret ey is Ring Signing. Giv en public

eys message and priv ate ey corresp onding to one of the public eys for some ho ose random for all Compute and set h= =x or all let Output the ring signature Ring erication. Giv en public eys message and ring signa- ture compute and erify that h; =1 ). Using the bilinearit and nondegeneracy of the pairing it is easy to sho that signature pro duced the ingSign algorithm will erify under the ingV erify algorithm. 5.3 Securit There are asp ects securit analysis for ring signatures ust consider. Firstly signer am biguit ust ensured. sho that the iden tit of the signer is unconditionally

protected. 18

Page 19

Theorem 5.1. or any algorithm any set of users and andom the pr ob ability Pr[ is at most wher is any ring signatur on gener ate with private key SK Pr of. The theorem follo ws from simple probabilit argumen t: for an and an the distribution for s; hosen suc that =1 is iden tical to the distribution =1 since the alue of an one of the ’s is uniquely determined the alues of the other ’s. Secondly need to examine the sc heme’s resistance to forgery adopt the securit mo del of Riv est, Shamir and auman [28]. Consider the follo wing game pla ed et een an adv ersary

and hallenger. The adv ersary is giv en the public eys of set of users and is giv en oracle access to and ring-signing oracle. The adv ersary ma ork adaptiv ely The goal of the adv ersary is to output alid ring signature on of message sub ject to the condition that has nev er een presen ted to the ring-signing oracle. An adv ersary ’s adv an tage Adv RingSig in existen tially forging bilinear ring signature is the probabilit tak en er the coin tosses of the ey-generation algorithm and of the forger, that succeeds in creating alid ring signature in the ab game. Theorem 5.2. Supp ose is

-algorithm that an pr duc for gery of ring signatur on set of users of size Then ther exists an t; -algorithm that an solve the o-CDH pr oblem wher (2 nq and (( =e )(1 )) wher issues at most ring-signatur queries and at most hash queries, and exp onentiation and inversion on take time Pr of. The co-CDH problem can solv ed rst solving random instances of the follo wing problem: Giv en ab (and ), compute shall construct an algorithm that solv es this problem. This is easy if 0. In what follo ws, assume 0. Initially pic ks at random from and sets 1. It sets Algorithm is giv en the public

eys Without loss of generalit ma assume submits distinct queries (as previous replies can cac hed); that for ev ery ring-signing query on message has previously issued hash query for and that issues hash query on the message on whic it attempts to forge signature some time efore giving its nal output. On hash query ips coin that sho ws with probabilit and otherwise shall determined later). Then pic ks random and if the coins sho ws 0, returns ab otherwise it returns Supp ose issues ring sign query for message By assumption, has previously issued hash query for If the coin

ipp ed for this -query sho ed 0, then fails and exits. Otherwise had returned for some In this case ho oses random computes ), and returns the signature Ev en tually outputs forgery for message Again assumption, has previously issued -query for If the coin ipp ed for this query did not sho then fails. Otherwise abr for some hosen and outputs the th ro ot of Algorithm cannot distinguish et een ’s sim ulation and real life. Also, will not fail with probabilit (1 whic is maximized when 1), giving ound of (1 =e )(1 ). If it do es not fail and successfully forges ring signature then

is successful and outputs Algorithm requires exp onen tiations on in setup, one exp onen tiation for eac of ’s hash queries, exp onen tiations for eac of ’s signature queries, and exp onen tiations in the output phase, so its running time is ’s running time plus (2 nq ). 19

Page 20

5.4 Observ ations on Ring Signatures An ring signature sc heme restricts to an ordinary signature sc heme when 1. Our sc heme restricts to short signature sc heme similar to the co-GDH sc heme [6]. In this mo died co-GDH sc heme, equals =x rather than and one eries that h; rather than that

h; ). Bresson et al. [7] extend Riv est-Shamir-T auman ring signatures to obtain threshold and ad-ho ring signatures. Ho ev er, bilinear ring signatures ha in teresting prop erties that do not app ear to shared ring signatures in general. or an set of users with anyone can con ert mo died co-GDH signature in to ring signature Sp ecically to con ert mo died co-GDH signature on for public ey in to ring signature on for public eys ho ose for and set =2 and for More generally an one can further anon ymize ring signature adding users to Conclusions in tro duced the concept

of aggregate signatures and constructed an ecien aggregate signature sc heme based on bilinear maps. Key generation, aggregation, and erication require no in teraction. pro ed securit of the system in mo del that giv es the adv ersary his hoice of public eys and messages to forge. or securit in tro duced the additional constrain that an aggregate signature is alid only if it is an aggregation of signatures on distinct messages. This constrain is satised naturally for the applications ha in mind. More generally the constrain can satised prep ending the public ey

to the message prior to signing. ga sev eral applications for aggregate signatures. or example, they can used to reduce the size of certicate hains and reduce comm unication bandwidth in proto cols suc as SBGP also sho ed that our sp ecic aggregate signature sc heme giv es eriably encrypted signatures. Previous signature constructions using bilinear maps [6, 19 8, 4] only required gap Die- Hellman group (i.e., DDH easy but CDH hard). The signature constructions in this pap er require the extra structure pro vided the bilinear map. These constructions are an

example where bilinear map pro vides more er than generic gap Die-Hellman group. Ac kno wledgmen ts The authors thank Leonid Reyzin, Liqun Chen, Alice Silv erb erg, and Cyn thia Dw ork for helpful discussions ab out this ork. The rst author is supp orted arp the ac ard foundation, and an nsf career ard. The third and fourth authors are supp orted arp and nsf References [1] N. Asok an, V. Shoup, and M. aidner. Optimistic fair exc hange of digital signatures. IEEE J. Sele cte as in Comm. 18(4):593{610, April 2000. [2] F. Bao, R. Deng, and W. Mao. Ecien and practical fair

exc hange proto cols with oine TTP. In Pr dings of IEEE Symp osium on Se curity and Privacy pages 77{85, 1998. 20

Page 21

[3] M. Bellare and Roga The exact securit of digital signatures: Ho to sign with RSA and Rabin. In Pr dings of Eur crypt ’96 olume 1070 of LNCS pages 399{416. Springer-V erlag, 1996. [4] A. Boldyrev a. Ecien threshold signature, ultisignature and blind signature sc hemes based on the gap-Die-Hellman-group signature sc heme. In Pr dings of PK 2003 olume 2567 of LNCS pages 31{46. Springer-V erlag, 2003. [5] D. Boneh and M. ranklin. Iden tit

y-based encryption from the eil pairing. SIAM J. Com- puting 32(3):586{615, 2003. Extended abstract in Pr dings of Crypto 2001 [6] D. Boneh, B. Lynn, and H. Shac ham. Short signatures from the eil pairing. In Pr dings of Asiacrypt 2001 olume 2248 of LNCS pages 514{32. Springer-V erlag, 2001. ull pap er: ttp://crypto.stanford.edu/ dab o/pubs.h tml. [7] E. Bresson, J. Stern, and M. Szydlo. Threshold ring signatures and applications to ad-ho groups. In M. ung, editor, Pr dings of Crypto 2002 olume 2442 of LNCS pages 465{80. Springer-V erlag, 2002. [8] Y. Do dis. Ecien construction of

(distributed) eriable random functions. In Pr dings of PK 2003 olume 2567 of LNCS pages 1{17. Springer-V erlag, 2003. [9] A. Fiat. Batc RSA. In Pr dings of Crypto ’89 pages 175{185, 1989. [10] J. Gara M. Jak obsson, and MacKenzie. Abuse-free optimistic con tract signing. In Pr o- dings of Crypto ’99 olume 1666 of LNCS pages 449{466. Springer-V erlag, 1999. [11] Gemmel. An in tro duction to threshold cryptograph RSA CryptoBytes 2(3):7{12, 1997. [12] R. Gennaro, T. Rabin, S. Jarec ki, and H. Kra czyk. Robust and ecien sharing of RSA functions. J. Cryptolo gy 13(2):273{300, 2000.

[13] C. Gen try and A. Silv erb erg. Hierarc hical ID-based cryptograph In Pr dings of Asiacrypt 2002 olume 2501 of LNCS pages 548{66. Springer-V erlag, 2002. [14] S. Goldw asser, S. Micali, and R. Riv est. digital signature sc heme secure against adaptiv hosen-message attac ks. SIAM J. Computing 17(2):281{308, 1988. [15] J. Horwitz and B. Lynn. ard hierarc hical iden tit y-based encryption. In Pr dings of Eur crypt 2002 olume 2332 of LNCS pages 466{81. Springer-V erlag, 2002. [16] A. Joux. one round proto col for tripartite Die-Hellman. In Pr dings of ANTS IV olume 1838 of LNCS pages

385{94. Springer-V erlag, 2000. [17] A. Joux and K. Nguy en. Separating Decision Die-Hellman from Die-Hellman in Crypto- graphic Groups. Cryptology ePrin Arc hiv e, Rep ort 2001/003, 2001. http://eprint.iacr. org/ [18] S. Ken t, C. Lynn, and K. Seo. Secure order gatew proto col (Secure-BGP). IEEE J. Sele cte as in Comm. 18(4):582{92, April 2000. [19] A. Lysy ansk a. Unique signatures and eriable random functions from the DH-DDH sepa- ration. In Pr dings of Crypto 2002 olume 2442 of LNCS pages 597{612. Springer-V erlag, 2002. 21

Page 22

[20] S. Micali, K. Oh

ta, and L. Reyzin. Accoun table-subgroup ultisignatures (extended abstract). In Pr dings of CCS 2001 pages 245{54. CM Press, 2001. [21] S. Micali and R. Riv est. ransitiv signature sc hemes. In Pr dings of RSA 2002 olume 2271 of LNCS pages 236{43. Springer-V erlag, 2002. [22] A. Miy ji, M. Nak aba ashi, and S. ak ano. New explicit conditions of elliptic curv traces for FR-reduction. IEICE ans. undamentals E84-A(5):1234{43, Ma 2001. [23] M. Naor. Deniable ring authen tication. In Pr dings of Crypto 2002 olume 2442 of LNCS pages 481{98. Springer-V erlag, 2002. [24] K. Oh ta and T. Ok amoto.

Multisignature sc hemes secure against activ insider attac ks. IEICE ans. undamentals E82-A(1):21{31, 1999. [25] T. Ok amoto. digital ultisignature sc heme using bijectiv public-k ey cryptosystems. CM ans. Computer Systems 6(4):432{441, 1998. [26] T. Ok amoto and D. oin tc hev al. The gap problems: new class of problems for the securit of cryptographic primitiv es. In Pr dings of PK 2001 olume 1992 of LNCS pages 104{118. Springer-V erlag, 2001. [27] G. oupard and J. Stern. air encryption of RSA eys. In Pr dings of Eur crypt 2000 olume 1807 of LNCS pages 172{89. Springer-V erlag, 2000. [28] R.

Riv est, A. Shamir, and Y. auman. Ho to leak secret. In Pr dings of Asiacrypt 2001 olume 2248 of LNCS pages 552{65. Springer-V erlag, 2001. [29] F. Zhang and K. Kim. ID-based blind signature and ring signature from pairings. In Pr dings of Asiacrypt 2002 olume 2501 of LNCS pages 533{47. Springer-V erlag, 2002. 22

Â© 2020 docslides.com Inc.

All rights reserved.