Blank Digital Signatures: Optimization and Practical Experiences

Similar documents
Blank Digital Signatures: Optimization and Practical Experiences

Structure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

On the Revocation of U-Prove Tokens

Privacy-Enhancing Proxy Signatures from Non-Interactive Anonymous Credentials

A General Framework for Redactable Signatures and New Constructions

Blind Signatures and Their Applications

Coupon Recalculation for the GPS Authentication Scheme

Anonymous Ticketing for NFC-enabled Mobile Phones

POST-QUANTUM CRYPTOGRAPHY VIENNA CYBER SECURITY WEEK DR. DANIEL SLAMANIG

Signature schemes variations

Key Escrow free Identity-based Cryptosystem

An IBE Scheme to Exchange Authenticated Secret Keys

Short-term Linkable Group Signatures with Categorized Batch Verification

Evaluating Private Information Retrieval on the Cloud

Controlling digital multisignature with attribute certificate

Speed-ups of Elliptic Curve-Based

Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives

Computer Security: Principles and Practice

Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives

An Implementation of a Pairing-Based Anonymous Credential System with Constant Complexity

Cryptographic Concepts

TECHNICAL REPORT Electronic Signatures and Infrastructures (ESI); Guidance on the use of standards for cryptographic suites

Mitel MiContact Center Enterprise WEB APPLICATIONS CONFIGURATION GUIDE. Release 9.2

Apple Inc. Certification Authority Certification Practice Statement

UNIT - IV Cryptographic Hash Function 31.1

Network Security Essentials

IBM i Version 7.2. Security Digital Certificate Manager IBM

Attribute Based Encryption with Privacy Protection in Clouds

Introduction to Microsoft.NET Programming Using Microsoft Visual Studio 2008 (C#) Course Overview. Prerequisites. Audience.

Internet Engineering Task Force (IETF) Request for Comments: 6160 Category: Standards Track April 2011 ISSN:

Cryptographic Systems

CSE 565 Computer Security Fall 2018

Technical Specification Electronic Signatures and Infrastructures (ESI); CMS Advanced Electronic Signatures (CAdES)

Simulation on Agent-based Onion Routing Network *

Internet Engineering Task Force (IETF) Request for Comments: 7192 Category: Standards Track April 2014 ISSN:

Cascaded Authorization with Anonymous-Signer Aggregate Signatures

BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module

Attribute-based Credentials on Smart Cards

Public-key Cryptography: Theory and Practice

Abstract. Asia-pacific Journal of Convergent Research Interchange Vol.2, No.2, June 30 (2016), pp

Cascaded Authorization with Anonymous-Signer Aggregate Signatures

An Overview of Secure Multiparty Computation

Digital signatures: How it s done in PDF

Delegation Scheme based on Proxy Re-encryption in Cloud Environment

Identity-Based Decryption

Secure digital certificates with a blockchain protocol

Privacy and Security in Smart Grids

Digital Certificates. PKI and other TTPs. 3.3

Notes for Lecture 14

Apple Inc. Certification Authority Certification Practice Statement

STRONGER SECURITY NOTIONS FOR DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES AND MORE EFFICIENT CONSTRUCTIONS

Table of Contents 1. ABOUT THE GIS PANGEA SYSTEM 5 2. HOME DASHBOARD OVERVIEW MANAGER DASHBOARD OVERVIEW 66

ETSI ESI and Signature Validation Services

Reliable Broadcast Message Authentication in Wireless Sensor Networks

Xolido Sign Desktop. Xolido Sign Desktop. V2.2.1.X User manual XOLIDO. electronic signature, notifications and secure delivery of documents

Real World Crypto January 11, Geo Key Manager. Nick Sullivan Brendan McMillion

Using Sphinx to Improve Onion Routing Circuit Construction (short paper)

New Security Features in DLMS/COSEM

APNIC elearning: Cryptography Basics

Generating A Digital Signature Based On New Cryptographic Scheme For User Authentication And Security

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

Modules. This chapter lists and describes the major modules or applications that aggregate specific functionality and all together compose the System.

Electronic Seal Administrator Guide Published:December 27, 2017

WHAT FUTURE FOR CONTACTLESS CARD SECURITY?

On the Security of a Certificateless Public-Key Encryption

Security Digital Certificate Manager

SSL/TSL EV Certificates

Internet Engineering Task Force (IETF) Request for Comments: Category: Informational ISSN: March 2011

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Securing Distributed Computation via Trusted Quorums. Yan Michalevsky, Valeria Nikolaenko, Dan Boneh

An improved proxy blind signature scheme based on ECDLP

Mobile and Secure Healthcare: Encrypted Objects and Access Control Delegation

IBM. Security Digital Certificate Manager. IBM i 7.1

NYMBLE: Blocking Misbehaving Users in Anonymizing Networks

Preserving Data Integrity in Cloud Storage

Prof. Christos Xenakis

Prof. Christos Xenakis

ID-Based Distributed Magic Ink Signature from Pairings

The question paper contains 40 multiple choice questions with four choices and students will have to pick the correct one (each carrying ½ marks.).

UPDATE ON CEN & ETSI STANDARDISATION ON SIGNATURES

Interoperability Solutions Guide for Oracle Web Services Manager 12c (12.2.1)

On Privacy and Anonymity in Knowledge Externalization

Direct Anonymous Attestation

RSA Ready Implementation Guide for

Feature Comparison Checklist

Overview of Cryptography

Secure Data De-Duplication With Dynamic Ownership Management In Cloud Storage

Privacy-friendly Aggregation for the Smart-grid

Internet Engineering Task Force (IETF) Request for Comments: 5959 Category: Standards Track August 2010 ISSN:

ClearPass QuickConnect 2.0

Deploying a New Hash Algorithm. Presented By Archana Viswanath

Security+ SY0-501 Study Guide Table of Contents

Efficient Quantum-Immune Keyless Signatures with Identity

On the security of a certificateless signature scheme in the standard model

Group User Revocation in Cloud for Shared Data

Document Cloud (including Adobe Sign) Additional Terms of Use. Last updated June 5, Replaces all prior versions.

BERNINA Embroidery Software Installation

DECENTRALIZED ATTRIBUTE-BASED ENCRYPTION AND DATA SHARING SCHEME IN CLOUD STORAGE

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

Transcription:

Blank Digital Signatures: Optimization and Practical Experiences David Derler, Christian Hanser, and Daniel Slamanig {david.derler, christian.hanser, daniel.slamanig}@iaik.tugraz.at Institute for Applied Information Processing and Communications, Graz University of Technology September 8, 2014 1 David Derler

Outline Proxy-Type Signatures Blank Digital Signatures (BDS) Motivation The BDS Scheme Overview Optimizations Implementation Performance Conclusion 2 David Derler Introduction

Proxy-Type Signatures Originator M 1. delegate Proxy M 2. choose M 3. sign Verifier M 4. verify 3 David Derler Introduction

Proxy-Type Signatures Originator M 1. delegate Delegate signing rights for Message space M Proxy M 2. choose M 2. sign Verifier M 3. verify 3 David Derler Introduction

Proxy-Type Signatures Originator M 1. delegate Delegate signing rights for Message space M Choose message M and sign Proxy M 2. choose M 3. sign Verifier M 4. verify 3 David Derler Introduction

Proxy-Type Signatures Originator M 1. delegate Delegate signing rights for Message space M Choose message M and sign Proxy M 2. choose M Verify 3. sign Integrity Verifier M 4. verify Authenticity M? M 3 David Derler Introduction

Blank Digital Signatures Message space defined by Template Originator template This is a demotemplate instance with a checkbox. Fixed element Exchangeable element Proxy Create Template 4 David Derler Introduction

Blank Digital Signatures Message space defined by Template Originator template This is a demotemplate instance with a checkbox. template This is a demotemplate instance with a checkbox. Template Signature BgAAAOMEAAAA FQOqDON Proxy Create Template Issue Signature (T ) 4 David Derler Introduction

Blank Digital Signatures Message space defined by Template Originator template This is a demotemplate instance with template This is a demotemplate instance with Template Signature BgAAAOMEAAAA FQOqDON Proxy This is a demoinstance with a checkbox. a checkbox. a checkbox. Template Signature BgAAAOMEAAAA FQOqDON Create Template Issue Signature (T ) Choose values 4 David Derler Introduction

Blank Digital Signatures Message space defined by Template Originator template This is a demotemplate instance with template This is a demotemplate instance with Template Signature BgAAAOMEAAAA FQOqDON Proxy This is a demoinstance with Template Signature BgAAAOMEAAAA FQOqDON This is a demoinstance a checkbox. a checkbox. a checkbox. a checkbox. with Instance Signature d/+thluwiaaaa K1zAAAAAQMA Create Template Issue Signature (T ) Choose values Issue signature (M) 4 David Derler Introduction

Blank Digital Signatures Message space defined by Template Originator template This is a demotemplate instance with template This is a demotemplate instance with Template Signature BgAAAOMEAAAA FQOqDON Proxy This is a demoinstance with Template Signature BgAAAOMEAAAA FQOqDON This is a demoinstance a checkbox. a checkbox. a checkbox. a checkbox. with Instance Signature d/+thluwiaaaa K1zAAAAAQMA Create Template Issue Signature (T ) Choose values Issue signature (M) New: Privacy property Hides T \ M 4 David Derler Introduction

Motivation Attorney makes business deal...on behalf of the client Privacy property Medical files T = ({ I, hereby, declare to pay }, { 100$, 120$, 150$ }, { for this device. }) Doctor creates template containing all data Patient can black-out critical parts Governmental organizations publish forms to be signed by any citizen 5 David Derler Introduction

Blank Digital Signature Scheme Proposed in [HS13] Combination of Conventional Digital Signature Scheme Providing a warrant for the delegation Polynomial Commitments Templates and messages bound to commitment Optimized version of [KZG10] Based on pairing friendly elliptic curve groups Hiding Commitments privacy property 6 David Derler BDSS

Encoding Template T = (T 1, T 2,..., T n ) with T i = {M i1, M i2,..., M ik } { > 1 for exchangeable elements T i = = 1 for fixed elements Message M = (M i ) n i=1 7 David Derler BDSS

Encoding Template T = (T 1, T 2,..., T n ) with T i = {M i1, M i2,..., M ik } { > 1 for exchangeable elements T i = = 1 for fixed elements Message M = (M i ) n i=1 T = ({ I, hereby, declare to pay },, { 100$, 120$, 150$ }, { for this device. }) M = ( I, hereby, declare to pay, 120$, for this device. ) 7 David Derler BDSS

Encoding (2) - Template Encoding Polynomial t(x) = Fixed element Exchangeable element (X H(M 1 id T 1)) (X H(M 21 id T 2)) (X H(CH(M H(M n id T n ) id n)) T 3 l 3 )) (X H(M 22 id T 2)) (X H(M 23 id T 2)) Fixed element H... collision resistant hash function 8 David Derler BDSS

Encoding (3) - Message Encoding Polynomial m(x) = fixed Element exchangeable Element (X H(M 1 id T 1)) (X H(M 21 id T 2)) (X H(M 22 id T 2)) (X H(M 23 id T 2)) (X H(M n id T n)) blank Element H... collision resistant hash function 9 David Derler BDSS

Encoding (4) - Complementary Message Polynomial m(x) = fixed Element exchangeable Element (X H(M 1 id T 1)) (X H(M 21 id T 2)) (X H(M 22 id T 2)) (X H(M 23 id T 2)) (X H(M n id T n)) blank Element H... collision resistant hash function 10 David Derler BDSS

Scheme Sign: Commit to template encoding polynomial t(x) C t Designation Sign C t and identity of proxy DSS 11 David Derler BDSS

Scheme Sign: Commit to template encoding polynomial t(x) C t Designation Sign C t and identity of proxy DSS Verify T (only for proxy): Recompute commitment and compare Verify designation DSS 11 David Derler BDSS

Scheme (2) Inst: Choose final values for exchangeable elements 12 David Derler BDSS

Scheme (2) Inst: Choose final values for exchangeable elements Compute message encoding polynomial m(x) 12 David Derler BDSS

Scheme (2) Inst: Choose final values for exchangeable elements Compute message encoding polynomial m(x) Commit to: m(x) = t(x) m(x) C m Thus, m(x) m(x) = t(x) and C m C m = C t 12 David Derler BDSS

Scheme (2) Inst: Choose final values for exchangeable elements Compute message encoding polynomial m(x) Commit to: m(x) = t(x) m(x) C m Thus, m(x) m(x) = t(x) and C m C m = C t Sign Cm DSS 12 David Derler BDSS

Scheme (3) Verify M (public): Compute commitment to message encoding polynomial Cm 13 David Derler BDSS

Scheme (3) Verify M (public): Compute commitment to message encoding polynomial Cm Check Cm C m? = Ct 13 David Derler BDSS

Scheme (3) Verify M (public): Compute commitment to message encoding polynomial Cm Check Cm C m? = Ct Verify designation, signature over C t, C m DSS 13 David Derler BDSS

Optimizations Original protocol uses inefficient symmetric pairings e : G 1 G 2 G T, with G 1 = G 2 Asymmetric Type-3 pairings (G 1 G 2 ) Duplicating some points 14 David Derler BDSS

Optimizations Original protocol uses inefficient symmetric pairings e : G 1 G 2 G T, with G 1 = G 2 Asymmetric Type-3 pairings (G 1 G 2 ) Duplicating some points Computations in G 2 more expensive Moving G 2 computations to instantiation step Inst VerifyM fast 14 David Derler BDSS

Optimizations Original protocol uses inefficient symmetric pairings e : G 1 G 2 G T, with G 1 = G 2 Asymmetric Type-3 pairings (G 1 G 2 ) Duplicating some points Computations in G 2 more expensive Moving G 2 computations to instantiation step Inst VerifyM fast Aggregation of fixed elements X H(idT M 1 1 M 2 2... M n n) 14 David Derler BDSS

Optimizations Original protocol uses inefficient symmetric pairings e : G 1 G 2 G T, with G 1 = G 2 Asymmetric Type-3 pairings (G 1 G 2 ) Duplicating some points Computations in G 2 more expensive Moving G 2 computations to instantiation step Inst VerifyM fast Aggregation of fixed elements X H(idT M 1 1 M 2 2... M n n) Optimizations preserve the security 14 David Derler BDSS

Implementation Aspects Integrated within Java Cryptography Architecture Key generation: KeyPairGenerator implementation Sign, Verify T : Signature Inst, VerifyM : Signature Using PKIX Integration of public keys in X.509 certificates KeyFactory implementations for X.509 key extraction Revocation mechanisms of PKIX can be employed Two example signature formats XML PDF 15 David Derler Implementation Aspects

PDF Signature Format Template Message 16 David Derler Implementation Aspects

Performance BNPairings library by Geovandro and Barreto [GB12] Optimal Ate pairing on BN Curves 256 bit group size Timings performed on a single core of a Lenovo ThinkPad T420s Intel Core i5 2540M with 2.6/3.3 GHz 8GB RAM Java 1.7.0 55 on top of Ubuntu 14.04/amd64 Different template constellations... and numbers of elements 17 David Derler Implementation Aspects

Performance (2) Computation time (ms) 2,000 1,500 1,000 500 Sign VerifyT Inst VerifyM Computation time (ms) 2,000 1,500 1,000 500 Sign VerifyT Inst VerifyM 0 0 200 400 600 800 1,000 #Elements (a) 50% fixed 0 0 200 400 600 800 1,000 #Elements (b) 33% fixed Figure : Computation times in relation to #Elements 18 David Derler Implementation Aspects

Conclusion Optimized BDSS Integration into JCA and PKIX Two signature formats PDF forms practical applications Integration of XML format into XMLDsig or XAdES XAdES-A long term validation Fully feasible for practical use 100 elements each step 180ms Future Work Comparison to BDSS from anonymous credentials [DHS14] Integration of BDSS into PDF reader plug-in 19 David Derler Conclusion

Thank you. References David Derler, Christian Hanser, and Daniel Slamanig. Privacy-Enhancing Proxy Signatures from Non-interactive Anonymous Credentials. In Data and Applications Security and Privacy XXVIII, volume 8566 of LNCS, pages 49 65. Springer, 2014. C. C. F. Pereira Geovandro and Paulo S. L. M. Barreto. bnpairings - A Java implementation of efficient bilinear pairings and elliptic curve operations. Public Google code project at: https://code.google.com/p/bnpairings/, 5 November 2012. Christian Hanser and Daniel Slamanig. Blank Digital Signatures. Cryptology eprint Archive, Report 2013/130, 2013. http://eprint.iacr.org/. Aniket Kate, Gregory M. Zaverucha, and Ian Goldberg. Constant-Size Commitments to Polynomials and Their Applications. In ASIACRYPT, volume 6477 of LNCS, pages 177 194. Springer, 2010. 20 David Derler Conclusion

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback