Blank Digital Signatures: Optimization and Practical Experiences David Derler, Christian Hanser, and Daniel Slamanig {david.derler, christian.hanser, daniel.slamanig}@iaik.tugraz.at Institute for Applied Information Processing and Communications, Graz University of Technology September 8, 2014 1 David Derler
Outline Proxy-Type Signatures Blank Digital Signatures (BDS) Motivation The BDS Scheme Overview Optimizations Implementation Performance Conclusion 2 David Derler Introduction
Proxy-Type Signatures Originator M 1. delegate Proxy M 2. choose M 3. sign Verifier M 4. verify 3 David Derler Introduction
Proxy-Type Signatures Originator M 1. delegate Delegate signing rights for Message space M Proxy M 2. choose M 2. sign Verifier M 3. verify 3 David Derler Introduction
Proxy-Type Signatures Originator M 1. delegate Delegate signing rights for Message space M Choose message M and sign Proxy M 2. choose M 3. sign Verifier M 4. verify 3 David Derler Introduction
Proxy-Type Signatures Originator M 1. delegate Delegate signing rights for Message space M Choose message M and sign Proxy M 2. choose M Verify 3. sign Integrity Verifier M 4. verify Authenticity M? M 3 David Derler Introduction
Blank Digital Signatures Message space defined by Template Originator template This is a demotemplate instance with a checkbox. Fixed element Exchangeable element Proxy Create Template 4 David Derler Introduction
Blank Digital Signatures Message space defined by Template Originator template This is a demotemplate instance with a checkbox. template This is a demotemplate instance with a checkbox. Template Signature BgAAAOMEAAAA FQOqDON Proxy Create Template Issue Signature (T ) 4 David Derler Introduction
Blank Digital Signatures Message space defined by Template Originator template This is a demotemplate instance with template This is a demotemplate instance with Template Signature BgAAAOMEAAAA FQOqDON Proxy This is a demoinstance with a checkbox. a checkbox. a checkbox. Template Signature BgAAAOMEAAAA FQOqDON Create Template Issue Signature (T ) Choose values 4 David Derler Introduction
Blank Digital Signatures Message space defined by Template Originator template This is a demotemplate instance with template This is a demotemplate instance with Template Signature BgAAAOMEAAAA FQOqDON Proxy This is a demoinstance with Template Signature BgAAAOMEAAAA FQOqDON This is a demoinstance a checkbox. a checkbox. a checkbox. a checkbox. with Instance Signature d/+thluwiaaaa K1zAAAAAQMA Create Template Issue Signature (T ) Choose values Issue signature (M) 4 David Derler Introduction
Blank Digital Signatures Message space defined by Template Originator template This is a demotemplate instance with template This is a demotemplate instance with Template Signature BgAAAOMEAAAA FQOqDON Proxy This is a demoinstance with Template Signature BgAAAOMEAAAA FQOqDON This is a demoinstance a checkbox. a checkbox. a checkbox. a checkbox. with Instance Signature d/+thluwiaaaa K1zAAAAAQMA Create Template Issue Signature (T ) Choose values Issue signature (M) New: Privacy property Hides T \ M 4 David Derler Introduction
Motivation Attorney makes business deal...on behalf of the client Privacy property Medical files T = ({ I, hereby, declare to pay }, { 100$, 120$, 150$ }, { for this device. }) Doctor creates template containing all data Patient can black-out critical parts Governmental organizations publish forms to be signed by any citizen 5 David Derler Introduction
Blank Digital Signature Scheme Proposed in [HS13] Combination of Conventional Digital Signature Scheme Providing a warrant for the delegation Polynomial Commitments Templates and messages bound to commitment Optimized version of [KZG10] Based on pairing friendly elliptic curve groups Hiding Commitments privacy property 6 David Derler BDSS
Encoding Template T = (T 1, T 2,..., T n ) with T i = {M i1, M i2,..., M ik } { > 1 for exchangeable elements T i = = 1 for fixed elements Message M = (M i ) n i=1 7 David Derler BDSS
Encoding Template T = (T 1, T 2,..., T n ) with T i = {M i1, M i2,..., M ik } { > 1 for exchangeable elements T i = = 1 for fixed elements Message M = (M i ) n i=1 T = ({ I, hereby, declare to pay },, { 100$, 120$, 150$ }, { for this device. }) M = ( I, hereby, declare to pay, 120$, for this device. ) 7 David Derler BDSS
Encoding (2) - Template Encoding Polynomial t(x) = Fixed element Exchangeable element (X H(M 1 id T 1)) (X H(M 21 id T 2)) (X H(CH(M H(M n id T n ) id n)) T 3 l 3 )) (X H(M 22 id T 2)) (X H(M 23 id T 2)) Fixed element H... collision resistant hash function 8 David Derler BDSS
Encoding (3) - Message Encoding Polynomial m(x) = fixed Element exchangeable Element (X H(M 1 id T 1)) (X H(M 21 id T 2)) (X H(M 22 id T 2)) (X H(M 23 id T 2)) (X H(M n id T n)) blank Element H... collision resistant hash function 9 David Derler BDSS
Encoding (4) - Complementary Message Polynomial m(x) = fixed Element exchangeable Element (X H(M 1 id T 1)) (X H(M 21 id T 2)) (X H(M 22 id T 2)) (X H(M 23 id T 2)) (X H(M n id T n)) blank Element H... collision resistant hash function 10 David Derler BDSS
Scheme Sign: Commit to template encoding polynomial t(x) C t Designation Sign C t and identity of proxy DSS 11 David Derler BDSS
Scheme Sign: Commit to template encoding polynomial t(x) C t Designation Sign C t and identity of proxy DSS Verify T (only for proxy): Recompute commitment and compare Verify designation DSS 11 David Derler BDSS
Scheme (2) Inst: Choose final values for exchangeable elements 12 David Derler BDSS
Scheme (2) Inst: Choose final values for exchangeable elements Compute message encoding polynomial m(x) 12 David Derler BDSS
Scheme (2) Inst: Choose final values for exchangeable elements Compute message encoding polynomial m(x) Commit to: m(x) = t(x) m(x) C m Thus, m(x) m(x) = t(x) and C m C m = C t 12 David Derler BDSS
Scheme (2) Inst: Choose final values for exchangeable elements Compute message encoding polynomial m(x) Commit to: m(x) = t(x) m(x) C m Thus, m(x) m(x) = t(x) and C m C m = C t Sign Cm DSS 12 David Derler BDSS
Scheme (3) Verify M (public): Compute commitment to message encoding polynomial Cm 13 David Derler BDSS
Scheme (3) Verify M (public): Compute commitment to message encoding polynomial Cm Check Cm C m? = Ct 13 David Derler BDSS
Scheme (3) Verify M (public): Compute commitment to message encoding polynomial Cm Check Cm C m? = Ct Verify designation, signature over C t, C m DSS 13 David Derler BDSS
Optimizations Original protocol uses inefficient symmetric pairings e : G 1 G 2 G T, with G 1 = G 2 Asymmetric Type-3 pairings (G 1 G 2 ) Duplicating some points 14 David Derler BDSS
Optimizations Original protocol uses inefficient symmetric pairings e : G 1 G 2 G T, with G 1 = G 2 Asymmetric Type-3 pairings (G 1 G 2 ) Duplicating some points Computations in G 2 more expensive Moving G 2 computations to instantiation step Inst VerifyM fast 14 David Derler BDSS
Optimizations Original protocol uses inefficient symmetric pairings e : G 1 G 2 G T, with G 1 = G 2 Asymmetric Type-3 pairings (G 1 G 2 ) Duplicating some points Computations in G 2 more expensive Moving G 2 computations to instantiation step Inst VerifyM fast Aggregation of fixed elements X H(idT M 1 1 M 2 2... M n n) 14 David Derler BDSS
Optimizations Original protocol uses inefficient symmetric pairings e : G 1 G 2 G T, with G 1 = G 2 Asymmetric Type-3 pairings (G 1 G 2 ) Duplicating some points Computations in G 2 more expensive Moving G 2 computations to instantiation step Inst VerifyM fast Aggregation of fixed elements X H(idT M 1 1 M 2 2... M n n) Optimizations preserve the security 14 David Derler BDSS
Implementation Aspects Integrated within Java Cryptography Architecture Key generation: KeyPairGenerator implementation Sign, Verify T : Signature Inst, VerifyM : Signature Using PKIX Integration of public keys in X.509 certificates KeyFactory implementations for X.509 key extraction Revocation mechanisms of PKIX can be employed Two example signature formats XML PDF 15 David Derler Implementation Aspects
PDF Signature Format Template Message 16 David Derler Implementation Aspects
Performance BNPairings library by Geovandro and Barreto [GB12] Optimal Ate pairing on BN Curves 256 bit group size Timings performed on a single core of a Lenovo ThinkPad T420s Intel Core i5 2540M with 2.6/3.3 GHz 8GB RAM Java 1.7.0 55 on top of Ubuntu 14.04/amd64 Different template constellations... and numbers of elements 17 David Derler Implementation Aspects
Performance (2) Computation time (ms) 2,000 1,500 1,000 500 Sign VerifyT Inst VerifyM Computation time (ms) 2,000 1,500 1,000 500 Sign VerifyT Inst VerifyM 0 0 200 400 600 800 1,000 #Elements (a) 50% fixed 0 0 200 400 600 800 1,000 #Elements (b) 33% fixed Figure : Computation times in relation to #Elements 18 David Derler Implementation Aspects
Conclusion Optimized BDSS Integration into JCA and PKIX Two signature formats PDF forms practical applications Integration of XML format into XMLDsig or XAdES XAdES-A long term validation Fully feasible for practical use 100 elements each step 180ms Future Work Comparison to BDSS from anonymous credentials [DHS14] Integration of BDSS into PDF reader plug-in 19 David Derler Conclusion
Thank you. References David Derler, Christian Hanser, and Daniel Slamanig. Privacy-Enhancing Proxy Signatures from Non-interactive Anonymous Credentials. In Data and Applications Security and Privacy XXVIII, volume 8566 of LNCS, pages 49 65. Springer, 2014. C. C. F. Pereira Geovandro and Paulo S. L. M. Barreto. bnpairings - A Java implementation of efficient bilinear pairings and elliptic curve operations. Public Google code project at: https://code.google.com/p/bnpairings/, 5 November 2012. Christian Hanser and Daniel Slamanig. Blank Digital Signatures. Cryptology eprint Archive, Report 2013/130, 2013. http://eprint.iacr.org/. Aniket Kate, Gregory M. Zaverucha, and Ian Goldberg. Constant-Size Commitments to Polynomials and Their Applications. In ASIACRYPT, volume 6477 of LNCS, pages 177 194. Springer, 2010. 20 David Derler Conclusion