Blank Digital Signatures: Optimization and Practical Experiences

Size: px

Start display at page:

Download "Blank Digital Signatures: Optimization and Practical Experiences"

Adrian Francis
6 years ago
Views:

1 Blank Digital Signatures: Optimization and Practical Experiences David Derler, Christian Hanser, and Daniel Slamanig {david.derler, christian.hanser, Institute for Applied Information Processing and Communications, Graz University of Technology September 8, David Derler

2 Outline Proxy-Type Signatures Blank Digital Signatures (BDS) Motivation The BDS Scheme Overview Optimizations Implementation Performance Conclusion 2 David Derler Introduction

3 Proxy-Type Signatures Originator M 1. delegate Proxy M 2. choose M 3. sign Verifier M 4. verify 3 David Derler Introduction

4 Proxy-Type Signatures Originator M 1. delegate Delegate signing rights for Message space M Proxy M 2. choose M 2. sign Verifier M 3. verify 3 David Derler Introduction

5 Proxy-Type Signatures Originator M 1. delegate Delegate signing rights for Message space M Choose message M and sign Proxy M 2. choose M 3. sign Verifier M 4. verify 3 David Derler Introduction

6 Proxy-Type Signatures Originator M 1. delegate Delegate signing rights for Message space M Choose message M and sign Proxy M 2. choose M Verify 3. sign Integrity Verifier M 4. verify Authenticity M? M 3 David Derler Introduction

7 Blank Digital Signatures Message space defined by Template Originator template This is a demotemplate instance with a checkbox. Fixed element Exchangeable element Proxy Create Template 4 David Derler Introduction

8 Blank Digital Signatures Message space defined by Template Originator template This is a demotemplate instance with a checkbox. template This is a demotemplate instance with a checkbox. Template Signature BgAAAOMEAAAA FQOqDON Proxy Create Template Issue Signature (T ) 4 David Derler Introduction

9 Blank Digital Signatures Message space defined by Template Originator template This is a demotemplate instance with template This is a demotemplate instance with Template Signature BgAAAOMEAAAA FQOqDON Proxy This is a demoinstance with a checkbox. a checkbox. a checkbox. Template Signature BgAAAOMEAAAA FQOqDON Create Template Issue Signature (T ) Choose values 4 David Derler Introduction

10 Blank Digital Signatures Message space defined by Template Originator template This is a demotemplate instance with template This is a demotemplate instance with Template Signature BgAAAOMEAAAA FQOqDON Proxy This is a demoinstance with Template Signature BgAAAOMEAAAA FQOqDON This is a demoinstance a checkbox. a checkbox. a checkbox. a checkbox. with Instance Signature d/+thluwiaaaa K1zAAAAAQMA Create Template Issue Signature (T ) Choose values Issue signature (M) 4 David Derler Introduction

11 Blank Digital Signatures Message space defined by Template Originator template This is a demotemplate instance with template This is a demotemplate instance with Template Signature BgAAAOMEAAAA FQOqDON Proxy This is a demoinstance with Template Signature BgAAAOMEAAAA FQOqDON This is a demoinstance a checkbox. a checkbox. a checkbox. a checkbox. with Instance Signature d/+thluwiaaaa K1zAAAAAQMA Create Template Issue Signature (T ) Choose values Issue signature (M) New: Privacy property Hides T \ M 4 David Derler Introduction

12 Motivation Attorney makes business deal...on behalf of the client Privacy property Medical files T = ({ I, hereby, declare to pay }, { 100$, 120$, 150$ }, { for this device. }) Doctor creates template containing all data Patient can black-out critical parts Governmental organizations publish forms to be signed by any citizen 5 David Derler Introduction

13 Blank Digital Signature Scheme Proposed in [HS13] Combination of Conventional Digital Signature Scheme Providing a warrant for the delegation Polynomial Commitments Templates and messages bound to commitment Optimized version of [KZG10] Based on pairing friendly elliptic curve groups Hiding Commitments privacy property 6 David Derler BDSS

14 Encoding Template T = (T 1, T 2,..., T n ) with T i = {M i1, M i2,..., M ik } { > 1 for exchangeable elements T i = = 1 for fixed elements Message M = (M i ) n i=1 7 David Derler BDSS

15 Encoding Template T = (T 1, T 2,..., T n ) with T i = {M i1, M i2,..., M ik } { > 1 for exchangeable elements T i = = 1 for fixed elements Message M = (M i ) n i=1 T = ({ I, hereby, declare to pay },, { 100$, 120$, 150$ }, { for this device. }) M = ( I, hereby, declare to pay, 120$, for this device. ) 7 David Derler BDSS

16 Encoding (2) - Template Encoding Polynomial t(x) = Fixed element Exchangeable element (X H(M 1 id T 1)) (X H(M 21 id T 2)) (X H(CH(M H(M n id T n ) id n)) T 3 l 3 )) (X H(M 22 id T 2)) (X H(M 23 id T 2)) Fixed element H... collision resistant hash function 8 David Derler BDSS

17 Encoding (3) - Message Encoding Polynomial m(x) = fixed Element exchangeable Element (X H(M 1 id T 1)) (X H(M 21 id T 2)) (X H(M 22 id T 2)) (X H(M 23 id T 2)) (X H(M n id T n)) blank Element H... collision resistant hash function 9 David Derler BDSS

18 Encoding (4) - Complementary Message Polynomial m(x) = fixed Element exchangeable Element (X H(M 1 id T 1)) (X H(M 21 id T 2)) (X H(M 22 id T 2)) (X H(M 23 id T 2)) (X H(M n id T n)) blank Element H... collision resistant hash function 10 David Derler BDSS

19 Scheme Sign: Commit to template encoding polynomial t(x) C t Designation Sign C t and identity of proxy DSS 11 David Derler BDSS

20 Scheme Sign: Commit to template encoding polynomial t(x) C t Designation Sign C t and identity of proxy DSS Verify T (only for proxy): Recompute commitment and compare Verify designation DSS 11 David Derler BDSS

21 Scheme (2) Inst: Choose final values for exchangeable elements 12 David Derler BDSS

22 Scheme (2) Inst: Choose final values for exchangeable elements Compute message encoding polynomial m(x) 12 David Derler BDSS

23 Scheme (2) Inst: Choose final values for exchangeable elements Compute message encoding polynomial m(x) Commit to: m(x) = t(x) m(x) C m Thus, m(x) m(x) = t(x) and C m C m = C t 12 David Derler BDSS

24 Scheme (2) Inst: Choose final values for exchangeable elements Compute message encoding polynomial m(x) Commit to: m(x) = t(x) m(x) C m Thus, m(x) m(x) = t(x) and C m C m = C t Sign Cm DSS 12 David Derler BDSS

25 Scheme (3) Verify M (public): Compute commitment to message encoding polynomial Cm 13 David Derler BDSS

26 Scheme (3) Verify M (public): Compute commitment to message encoding polynomial Cm Check Cm C m? = Ct 13 David Derler BDSS

27 Scheme (3) Verify M (public): Compute commitment to message encoding polynomial Cm Check Cm C m? = Ct Verify designation, signature over C t, C m DSS 13 David Derler BDSS

28 Optimizations Original protocol uses inefficient symmetric pairings e : G 1 G 2 G T, with G 1 = G 2 Asymmetric Type-3 pairings (G 1 G 2 ) Duplicating some points 14 David Derler BDSS

29 Optimizations Original protocol uses inefficient symmetric pairings e : G 1 G 2 G T, with G 1 = G 2 Asymmetric Type-3 pairings (G 1 G 2 ) Duplicating some points Computations in G 2 more expensive Moving G 2 computations to instantiation step Inst VerifyM fast 14 David Derler BDSS

30 Optimizations Original protocol uses inefficient symmetric pairings e : G 1 G 2 G T, with G 1 = G 2 Asymmetric Type-3 pairings (G 1 G 2 ) Duplicating some points Computations in G 2 more expensive Moving G 2 computations to instantiation step Inst VerifyM fast Aggregation of fixed elements X H(idT M 1 1 M M n n) 14 David Derler BDSS

31 Optimizations Original protocol uses inefficient symmetric pairings e : G 1 G 2 G T, with G 1 = G 2 Asymmetric Type-3 pairings (G 1 G 2 ) Duplicating some points Computations in G 2 more expensive Moving G 2 computations to instantiation step Inst VerifyM fast Aggregation of fixed elements X H(idT M 1 1 M M n n) Optimizations preserve the security 14 David Derler BDSS

32 Implementation Aspects Integrated within Java Cryptography Architecture Key generation: KeyPairGenerator implementation Sign, Verify T : Signature Inst, VerifyM : Signature Using PKIX Integration of public keys in X.509 certificates KeyFactory implementations for X.509 key extraction Revocation mechanisms of PKIX can be employed Two example signature formats XML PDF 15 David Derler Implementation Aspects

33 PDF Signature Format Template Message 16 David Derler Implementation Aspects

34 Performance BNPairings library by Geovandro and Barreto [GB12] Optimal Ate pairing on BN Curves 256 bit group size Timings performed on a single core of a Lenovo ThinkPad T420s Intel Core i5 2540M with 2.6/3.3 GHz 8GB RAM Java on top of Ubuntu 14.04/amd64 Different template constellations... and numbers of elements 17 David Derler Implementation Aspects

35 Performance (2) Computation time (ms) 2,000 1,500 1, Sign VerifyT Inst VerifyM Computation time (ms) 2,000 1,500 1, Sign VerifyT Inst VerifyM ,000 #Elements (a) 50% fixed ,000 #Elements (b) 33% fixed Figure : Computation times in relation to #Elements 18 David Derler Implementation Aspects

36 Conclusion Optimized BDSS Integration into JCA and PKIX Two signature formats PDF forms practical applications Integration of XML format into XMLDsig or XAdES XAdES-A long term validation Fully feasible for practical use 100 elements each step 180ms Future Work Comparison to BDSS from anonymous credentials [DHS14] Integration of BDSS into PDF reader plug-in 19 David Derler Conclusion

37 Thank you. References David Derler, Christian Hanser, and Daniel Slamanig. Privacy-Enhancing Proxy Signatures from Non-interactive Anonymous Credentials. In Data and Applications Security and Privacy XXVIII, volume 8566 of LNCS, pages Springer, C. C. F. Pereira Geovandro and Paulo S. L. M. Barreto. bnpairings - A Java implementation of efficient bilinear pairings and elliptic curve operations. Public Google code project at: 5 November Christian Hanser and Daniel Slamanig. Blank Digital Signatures. Cryptology eprint Archive, Report 2013/130, Aniket Kate, Gregory M. Zaverucha, and Ian Goldberg. Constant-Size Commitments to Polynomials and Their Applications. In ASIACRYPT, volume 6477 of LNCS, pages Springer, David Derler Conclusion

Blank Digital Signatures: Optimization and Practical Experiences

Blank Digital Signatures: Optimization and Practical Experiences David Derler, Christian Hanser, Daniel Slamanig To cite this version: David Derler, Christian Hanser, Daniel Slamanig. Blank Digital Signatures: