Transitive Signatures based on Factoring and RSA

Mihir Bellare (University of California, San Diego, USA)

Gregory Neven (Katholieke Universiteit Leuven, Belgium)

2

Standard digital signatures

M

SSignssk

σM

SVf

σ’

spkaccept /reject

SKG (spk,ssk)1k

3

σ2,3

3

σi,ji,j

Transitive signatures [MR02] Message is pair of nodes i,j

Signing i,j = creating and authenticating edge {i,j}

An authenticated graph grows with time

σ1,2

σ1,21,2

1

2

i,j

TSigntsk

TVf

σ’i,j

tpk

TKG (tpk,tsk)1k

accept /reject

σ2,32,3

σ4,54 5

σ4,54,5

4

Transitive signatures [MR02]

Compi,j,k

σi,j

σi,k

tpk

σj,k

Additional composition algorithm

1

2σ1,2

3

σ2,3

4 5σ4,5

Authenticated graph is transitive closure of directly signed edges

1,2,3

σ1,2

σ2,3

σ1,3σ1,3

i,j

TSigntsk

σi,ji,j

TVf

σ’i,j

tpkaccept /reject

TKG (tpk,tsk)1k

5

Security of transitive signatures Standard security definition of [GMR] doesn’t apply:

composition allows forgery to some extent

New security goal [MR02]: computationally infeasible to forge signatures not in transitive

closure of the edges signed directly by the signer even under “chosen-edge” attack

F

tpk

{1,4}, σ1,4

σ1,4

σ1,3

σ1,2 σ2,3

σ4,5

1

2

3

4 5

σ1,2,σ2,3,σ4,5

1,2 ║ 2,3 ║ 4,5TSigntsk(·,·)2,3

σ2,3

1,2

σ1,2

4,5

σ4,5

TSigntsk(·,·)

6

Why transitive signatures?

Applications? Micali and Rivest suggest military chain-of-command (directed) administrative domains (undirected)

Compelling application yet to be found

But a cool concept!

7

σ1,2

1,y1 2,y2 signature σ1,2 = ( , , δ1,2)

RSATS-1: RSA based scheme [MR02]

tpk = (spk, N, e)

tsk = ssk

Assume standard signature scheme with key pair (spk,ssk) message M signed under sskM

1

2

3Signer assigns to each node i:

← Z*RN

x1

x2

x3 secret label xi,y1

,y2

,y3

public label yi ← xie mod N

i,yi node certificate

1,y1

2,y2

3,y3

To sign edge {1,2}:

edge label δ1,2 ← x1·x2-1 mod N

Verification of ( , , δ1,2):1,y1 2,y2

check node certificates

check δ1,2 = y1·y2-1 mod Ne

8

Composition in RSATS-1

To compose signatures σ1,2 and σ2,3:

σ1,2 = ( , , δ1,2)

where δ1,2 = x1·x2-1 mod N

1,y1

σ2,3 = ( , , δ2,3)

where δ2,3 = x2·x3-1 mod N

2,y2 3,y3

δ1,2·δ2,3 mod N

= (x1·x2-1)(x2·x3

-1) mod N

= x1·x3-1 mod N

2,y2

1,y1 3,y3

xi are kept in signer’s state

σ1,3 = ( , , δ1,3)

where δ1,3 =

σ1,3

1

2

3

x1

x2

x3,y1

,y2

,y31,y1 3,y3

σ1,2 σ2,3

2,y2

9

Non-adaptive security of RSATS-1

RSATS-1 can be proven transitively secure against forgery under non-adaptive chosen-edge attack if

RSA is one-way underlying standard signature scheme is secure under chosen-

message attack

Is RSATS-1 secure under adaptive attack? Neither proof nor attack known Might rely on stronger properties of RSA than one-wayness We consider security under one-more inversion [BNPS01]

10

RSA under one-more inversion

A

A is successful iff xi

e = yi mod N for i=1..m

n < m

x1,…,xm

N,e

y1 ChallR Z*Nyi

ym

…

RSA-1N,e(·)

z1d mod N

z1

znd mod N

zn

…

Assumption:

this problem is hard [BNPS01]

Used before by [BNPS01] to prove security

of Chaum’s blind signatures by [BP02] to prove security of

GQ identification scheme

11

Adaptive security of RSATS-1

Theorem: RSATS-1 is transitively secure against forgery under adaptive chosen-message attack if

the one-more RSA-inversion problem is hard the underlying standard signature scheme is secure under

chosen-message attack.

12

{1,2}

δ1,2

y1y2-1

Proof idea for RSATS-1

A

Chall

F

N,e

RSA-1σ1,2

σ1,2

σ1,4

σ1,4

n1 nodes n2 nodes

n1-1 queries n2-1 queriesx2 ← δ2,3·x3

x1 ← δ1,2·x2

If A would know x3: (remember δi,j=xi·xj-1)

(n1-1)+(n2-1)+1

= n1+n2-1 queries < n1+n2 decrypted challenges

(spk,N,e)

{2,3}

δ2,3

y2y3-1

σ2,3

σ2,3

{1,3}σ1,3

σ1,3

x1,…,x6

y1

x1

σ5,6

σ4,6

yi

y1

y2

y3

y4

y5

y61

2

3

4

5

6

13

σ1,3 = ( , , δ1,3) with δ1,3 = δ1,2·δ2,3 mod N1,y1 3,y3

σ1,3

Composition of σ1,2 and σ2,3:

σ2,3

FBTS-1: Factoring based schemetpk = (spk, N); tsk = ssk

,y1

,y2

,y3

public label yi ← xi2 mod N

i,yi node certificate 1,y1

2,y2

3,y3

σ1,2

Signature σ1,2 = ( , , δ1,2) with δ1,2 = x1·x2-1 mod N1,y1 2,y2

Verification of σ1,2 :

check signatures on , check δ1,2 = y1·y2

-1 mod N

1,y1 2,y2

2

← Z*RN

x1

x2

x3

secret label xi

1

2

3

Signer assigns to each node i:

14

Security of FBTS-1

Theorem: FBTS-1 is transitively secure against forgery under adaptive chosen-message attack if

factoring N is hard the underlying standard signature scheme is secure under

chosen-message attack.

Proof idea: with probability 1/2, forgery gives second square root signatures might leak information about known root

→ information-theoretic lemma needed

15

Node certification paradigm

For each node i, the signer:

x1

x2

x3

chooses secret label xiσ2,3

σ1,3

Composition of σ1,2 and σ2,3:

σ1,3 = ( , , δ1,3)

where δ1,3 = h(δ1,2,δ2,3)

1,y1 3,y3

δi,j·δj,k mod N

δi,j·δj,k mod N

h(δi,j,δj,k)

σ1,2

Signature σ1,2 = ( , , δ1,2)

where δ1,2 = g(x1,x2)

1,y1 2,y2

xi·xj-1 mod N

xi·xj-1 mod N

g(xi,xj)

,y1

,y2

,y3

computes public label yi = f(xi)

xi2 mod NFBTS-1

xie mod NRSATS-1

f(xi)Scheme

1,y1 3,y3

2,y2

creates node certificate i,yi 1

2

3

16

Eliminating node certificates

σ2,3

σ1,3

Composition of σ1,2 and σ2,3:

σ1,3 = δ1,3 where δ1,3 = g(δ1,2, δ2,3)

σ1,2

Signature σ1,2 = δ1,2

where δ1,2 = f(x1,x2)

Let Htpk be a public hash function

RSATS-1 and FBTS-1, but not MRTS

,x1

,x2

,x3

secret label xi ← “inversion” of yi

(using trapdoor information in tsk)

y1=Htpk(1)

y2=Htpk(2)

y3=Htpk(3)

public label yi ← Htpk(i)

For each node i, signer lets:

1

2

3

17

RSATS-2 and FBTS-2

RSATS-2: Straightforward application of this idea to RSATS-1

Theorem: RSATS-2 is transitively secure against forgery under adaptive chosen-message attack if

the one-more RSA-inversion problem is hard HN: {0,1}*→ZN is a random oracle.*

*

FBTS-2: Modifications needed because public labels have to be squares mod N

Theorem: FBTS-2 is transitively secure against forgery under adaptive chosen-message attack if

factoring N is hard HN: {0,1}*→ZN[+1] is a random oracle.

18

Previously known schemes

O(path length)YesStandard signaturesTrivial

Signature sizeAd.?Security assumptionScheme

2 stand. sigs2 points in G2 points in Zq

YesDiscrete logarithmsStandard signatures

MRTS

2 stand. sigs3 points in

NoOne-wayness of RSAStandard signatures

RSATS-1Z*N

19

Scheme contributions

2 stand. sigs3 points in

NoOne-wayness of RSAStandard sigs

RSATS-1

2 stand. sigs2 points in G2 points in Zq

YesDiscrete logarithmsStandard signatures

MRTS

O(path length)YesStandard signaturesTrivial

Signature sizeAd.?Security assumptionScheme

Z*N

2 stand sigs3 points in

YesOne-more RSAStandard signatures

RSATS-1Z*N

2 stand sigs3 points in

YesFactoringStandard signatures

FBTS-1Z*N

No

No

No

RO?

No

No

1 point in YesYesOne-more RSARSATS-2 Z*N

1 point in YesYesFactoringFBTS-2 Z*N

Questions?