digital signatures · 2020-04-28 · digital signatures dennis hofheinz (slides based on slides by...
TRANSCRIPT
![Page 1: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/1.jpg)
Digital SignaturesDennis Hofheinz (slides based on slides by Björn Kaidel and GunnarHartung)
Digital Signatures 2020-04-28 1
![Page 2: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/2.jpg)
Outline
Pairings
Boneh-Lynn-Shacham (BLS) signatures
Digital Signatures 2020-04-28 2
![Page 3: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/3.jpg)
Pairings
Definition 78 (Pairings):Let G1,G2,GT be groups of prime order p. A pairing is a map
e : G1 ×G2 → GT
with the following properties:
1) Bilinearity: ∀g1, g′1 ∈ G1, g2, g′2 ∈ G2 :
e(g1 · g′1, g2) = e(g1, g2) · e(g′1, g2)
e(g1, g2 · g′2) = e(g1, g2) · e(g1, g′2)
⇒ e(ga1 , g2) = e(g1, g2)a = e(g1, ga
2 )enables one multiplication in the exponent.
Digital Signatures 2020-04-28 3
![Page 4: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/4.jpg)
Pairings
Definition 78 (Pairings):Let G1,G2,GT be groups of prime order p. A pairing is a map
e : G1 ×G2 → GT
with the following properties:
1) Bilinearity: ∀g1, g′1 ∈ G1, g2, g′2 ∈ G2 :
e(g1 · g′1, g2) = e(g1, g2) · e(g′1, g2)
e(g1, g2 · g′2) = e(g1, g2) · e(g1, g′2)
⇒ e(ga1 , g2) = e(g1, g2)a = e(g1, ga
2 )enables one multiplication in the exponent.
Digital Signatures 2020-04-28 3
![Page 5: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/5.jpg)
Pairings
Definition 78 (Pairings):Let G1,G2,GT be groups of prime order p. A pairing is a map
e : G1 ×G2 → GT
with the following properties:
1) Bilinearity: ∀g1, g′1 ∈ G1, g2, g′2 ∈ G2 :
e(g1 · g′1, g2) = e(g1, g2) · e(g′1, g2)
e(g1, g2 · g′2) = e(g1, g2) · e(g1, g′2)
⇒ e(ga1 , g2) = e(g1, g2)a = e(g1, ga
2 )enables one multiplication in the exponent.
Digital Signatures 2020-04-28 3
![Page 6: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/6.jpg)
Pairings
2) Non-degeneracy: for all generators g1 ∈ G1, g2 ∈ G2:
e(g1, g2) generates GT
(|GT |prime⇐⇒ e(g1, g2) 6= 1
)
3) e efficiently computable
Note: there are also pairings over groups of non-prime order.
Digital Signatures 2020-04-28 4
![Page 7: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/7.jpg)
Pairings
2) Non-degeneracy: for all generators g1 ∈ G1, g2 ∈ G2:
e(g1, g2) generates GT
(|GT |prime⇐⇒ e(g1, g2) 6= 1
)
3) e efficiently computable
Note: there are also pairings over groups of non-prime order.
Digital Signatures 2020-04-28 4
![Page 8: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/8.jpg)
Pairings
2) Non-degeneracy: for all generators g1 ∈ G1, g2 ∈ G2:
e(g1, g2) generates GT
(|GT |prime⇐⇒ e(g1, g2) 6= 1
)
3) e efficiently computable
Note: there are also pairings over groups of non-prime order.
Digital Signatures 2020-04-28 4
![Page 9: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/9.jpg)
Pairings: remarks
• G1,G2 often elliptic curves (“source groups”)
• GT ⊆ F∗Q (“target group”)
• Pairing operation less efficient than exponentiation
Original (cryptographic) application:
• Cryptanalysis• Example: assuming DLog easier in GT than in Gi , then e helps
to “lift/push” DLog problem from Gi to GT
– given gx1 ∈ G1, find x
– compute e(gx1 , g2) = e(g1, g2)x , and then DLog of e(g1, g2)x in
GT
• Some assumptions (like DDH) do not hold in G1 if G1 = G2
Digital Signatures 2020-04-28 5
![Page 10: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/10.jpg)
Pairings: remarks
• G1,G2 often elliptic curves (“source groups”)
• GT ⊆ F∗Q (“target group”)
• Pairing operation less efficient than exponentiation
Original (cryptographic) application:
• Cryptanalysis• Example: assuming DLog easier in GT than in Gi , then e helps
to “lift/push” DLog problem from Gi to GT
– given gx1 ∈ G1, find x
– compute e(gx1 , g2) = e(g1, g2)x , and then DLog of e(g1, g2)x in
GT
• Some assumptions (like DDH) do not hold in G1 if G1 = G2
Digital Signatures 2020-04-28 5
![Page 11: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/11.jpg)
Types of Pairings
Type 1: G1 = G2, “symmetric pairing” e : G×G→ GT
Type 2: G1 6= G2, “asymmetric pairing”There is an efficient nontrivial homomorphism
ψ : G2 → G1
Type 3: G1 6= G2, “asymmetric pairing”There is no efficient nontrivial homomorphism
ψ : G2 → G1
Note: here, we mainly consider type-1 pairings
Digital Signatures 2020-04-28 6
![Page 12: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/12.jpg)
Types of Pairings
Type 1: G1 = G2, “symmetric pairing” e : G×G→ GT
Type 2: G1 6= G2, “asymmetric pairing”There is an efficient nontrivial homomorphism
ψ : G2 → G1
Type 3: G1 6= G2, “asymmetric pairing”There is no efficient nontrivial homomorphism
ψ : G2 → G1
Note: here, we mainly consider type-1 pairings
Digital Signatures 2020-04-28 6
![Page 13: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/13.jpg)
Types of Pairings
Type 1: G1 = G2, “symmetric pairing” e : G×G→ GT
Type 2: G1 6= G2, “asymmetric pairing”There is an efficient nontrivial homomorphism
ψ : G2 → G1
Type 3: G1 6= G2, “asymmetric pairing”There is no efficient nontrivial homomorphism
ψ : G2 → G1
Note: here, we mainly consider type-1 pairings
Digital Signatures 2020-04-28 6
![Page 14: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/14.jpg)
Types of Pairings
Type 1: G1 = G2, “symmetric pairing” e : G×G→ GT
Type 2: G1 6= G2, “asymmetric pairing”There is an efficient nontrivial homomorphism
ψ : G2 → G1
Type 3: G1 6= G2, “asymmetric pairing”There is no efficient nontrivial homomorphism
ψ : G2 → G1
Note: here, we mainly consider type-1 pairings
Digital Signatures 2020-04-28 6
![Page 15: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/15.jpg)
Pairings: research
• Pairings already very powerful (we will see examples)
• Multilinear maps (for more source groups) would be even morepowerful
• 2012: Garg, Gentry, Halevi “Candidate Multilinear Maps fromIdeal Lattices and Applications”
• Since then many MLM candidates, attacks, improvements,applications. . .
Digital Signatures 2020-04-28 7
![Page 16: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/16.jpg)
Joux’s 3-party key exchange
• Like Diffie-Hellman key exchange, but for 3 parties A, B, C
• That means A, B, C end up with common shared key
• e : G×G→ GT , g generates G, |G| = |GT | = p prime
Digital Signatures 2020-04-28 8
![Page 17: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/17.jpg)
Joux’s 3-party key exchange
A
B C
a← Zp
b ← Zp c ← Zp
ga g a
ga ga
gb
gb
gb
ga, gb
g c
gc
gb, gc
ga, gc
k = e(gb, gc)a = e(g, g)abc
k = e(ga, gc)b = e(g, g)abc k = e(ga, gb)c = e(g, g)abc
• Shared key is k = e(g, g)abc
• Order of exchanged messages does not matter• (Multilinear map→ more parties)
Digital Signatures 2020-04-28 9
![Page 18: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/18.jpg)
Joux’s 3-party key exchange
A
B C
a← Zp
b ← Zp c ← Zp
ga g a
ga ga
gb
gb
gb
ga, gb
g c
gc
gb, gc
ga, gc
k = e(gb, gc)a = e(g, g)abc
k = e(ga, gc)b = e(g, g)abc k = e(ga, gb)c = e(g, g)abc
• Shared key is k = e(g, g)abc
• Order of exchanged messages does not matter• (Multilinear map→ more parties)
Digital Signatures 2020-04-28 9
![Page 19: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/19.jpg)
Joux’s 3-party key exchange
A
B C
a← Zp
b ← Zp c ← Zp
ga g a
ga ga
gb
gb
gb
ga, gb
g c
gc
gb, gc
ga, gc
k = e(gb, gc)a = e(g, g)abc
k = e(ga, gc)b = e(g, g)abc k = e(ga, gb)c = e(g, g)abc
• Shared key is k = e(g, g)abc
• Order of exchanged messages does not matter• (Multilinear map→ more parties)
Digital Signatures 2020-04-28 9
![Page 20: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/20.jpg)
Joux’s 3-party key exchange
A
B C
a← Zp
b ← Zp c ← Zp
ga g a
ga
ga
gb
gb
gb
ga, gb
g c
gc
gb, gc
ga, gc
k = e(gb, gc)a = e(g, g)abc
k = e(ga, gc)b = e(g, g)abc k = e(ga, gb)c = e(g, g)abc
• Shared key is k = e(g, g)abc
• Order of exchanged messages does not matter• (Multilinear map→ more parties)
Digital Signatures 2020-04-28 9
![Page 21: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/21.jpg)
Joux’s 3-party key exchange
A
B C
a← Zp
b ← Zp c ← Zp
ga g a
ga ga
gb
gb
gb
ga, gb
g c
gc
gb, gc
ga, gc
k = e(gb, gc)a = e(g, g)abc
k = e(ga, gc)b = e(g, g)abc k = e(ga, gb)c = e(g, g)abc
• Shared key is k = e(g, g)abc
• Order of exchanged messages does not matter• (Multilinear map→ more parties)
Digital Signatures 2020-04-28 9
![Page 22: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/22.jpg)
Joux’s 3-party key exchange
A
B C
a← Zp
b ← Zp c ← Zp
ga g a
ga ga
gb
gb
gb
ga, gb
g c
gc
gb, gc
ga, gc
k = e(gb, gc)a = e(g, g)abc
k = e(ga, gc)b = e(g, g)abc k = e(ga, gb)c = e(g, g)abc
• Shared key is k = e(g, g)abc
• Order of exchanged messages does not matter• (Multilinear map→ more parties)
Digital Signatures 2020-04-28 9
![Page 23: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/23.jpg)
Joux’s 3-party key exchange
A
B C
a← Zp
b ← Zp c ← Zp
ga g a
ga ga
gb
gb
gb
ga, gb
g c
gc
gb, gc
ga, gc
k = e(gb, gc)a = e(g, g)abc
k = e(ga, gc)b = e(g, g)abc k = e(ga, gb)c = e(g, g)abc
• Shared key is k = e(g, g)abc
• Order of exchanged messages does not matter• (Multilinear map→ more parties)
Digital Signatures 2020-04-28 9
![Page 24: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/24.jpg)
Socrative
Self-checking with quizzes
• Use following URL: https://b.socrative.com/login/student
• . . . and enter room “HOFHEINZ8872”
• Will also be in chat (so you can click on link)
• No registration necessary
• Quiz about pairings starts now!
Digital Signatures 2020-04-28 10
![Page 25: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/25.jpg)
Boneh-Lynn-Shacham signatures
• Simple pairing-based signature scheme
• Short signatures
• EUF-CMA secure in random oracle model
In the following:
• G,GT groups, |G| = |GT | = p prime, 〈g〉 = G• e : G×G→ GT pairing
• Hash function H : {0, 1}∗ → G \ {1}
Digital Signatures 2020-04-28 11
![Page 26: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/26.jpg)
BLS signatures
Gen(1k ) :
• x ← Z∗p• pk = (g, gx ), sk = x
Sign(sk , m) :
• σ := H(m)x ∈ G
Vfy(pk , m,σ) :
• e(H(m), gx ) ?= e(σ, g)
Correctness:
e(H(m), gx ) = e(H(m), g)x = e(H(m)x , g) = e(σ, g)
Digital Signatures 2020-04-28 12
![Page 27: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/27.jpg)
BLS signatures
Gen(1k ) :
• x ← Z∗p• pk = (g, gx ), sk = x
Sign(sk , m) :
• σ := H(m)x ∈ G
Vfy(pk , m,σ) :
• e(H(m), gx ) ?= e(σ, g)
Correctness:
e(H(m), gx ) = e(H(m), g)x = e(H(m)x , g) = e(σ, g)
Digital Signatures 2020-04-28 12
![Page 28: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/28.jpg)
The computational Diffie-Hellman (CDH) problem
• Given (g, gx , gy ), compute gxy (for random g and x , y ← Z∗p).
CDH assumption:
• ∀ PPT A:
Pr[g random, x , y ← Z∗p : A(1k , g, gx , gy ) = gxy ]
is negligible.
Note: group G and order p may depend on security parameter k .
Digital Signatures 2020-04-28 13
![Page 29: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/29.jpg)
The computational Diffie-Hellman (CDH) problem
• Given (g, gx , gy ), compute gxy (for random g and x , y ← Z∗p).
CDH assumption:
• ∀ PPT A:
Pr[g random, x , y ← Z∗p : A(1k , g, gx , gy ) = gxy ]
is negligible.
Note: group G and order p may depend on security parameter k .
Digital Signatures 2020-04-28 13
![Page 30: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/30.jpg)
BLS signatures: security
Theorem 85:Assuming H is modeled as a random oracle, then
• for every adversary A that breaks the EUF-CMA security of theBLS signature scheme in time tA with success εA,
• there is an adversary B that solves the CDH problem in G intime tB ≈ tA with success
εB ≥εA
qH,
where qH is the number of random oracle queries A makes.
Proof idea: conceptually very similar to RSA-FDH, details up next.
Digital Signatures 2020-04-28 14
![Page 31: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/31.jpg)
BLS: security proof
Simulation/reduction strategy:
• A has to explicitly query H for hash values (also for m∗)
• Intercept these queries and simulate RO for A
• B can implement RO for A as follows:– guess index i∗ of message for which A forges a signature (i.e.,
guess when m∗ is being queried)– choose hash values hi (for i 6= i∗) such that signature is known– embed (part of) CDH challenge into hi∗ as hi∗ = gy (for the last
part of the given CDH challenge g, gx , gy )
Digital Signatures 2020-04-28 15
![Page 32: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/32.jpg)
BLS: security proof
Simulation/reduction strategy:
• A has to explicitly query H for hash values (also for m∗)
• Intercept these queries and simulate RO for A
• B can implement RO for A as follows:– guess index i∗ of message for which A forges a signature (i.e.,
guess when m∗ is being queried)– choose hash values hi (for i 6= i∗) such that signature is known– embed (part of) CDH challenge into hi∗ as hi∗ = gy (for the last
part of the given CDH challenge g, gx , gy )
Digital Signatures 2020-04-28 15
![Page 33: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/33.jpg)
BLS: security proof
• Assume that A outputs valid forgery (m∗,σ∗).• We will assume (wlog) that A has always queried H(m∗).
– Given an A that sometimes does not query H(m∗), canconstruct an A′ that always does before submitting forgery
Digital Signatures 2020-04-28 16
![Page 34: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/34.jpg)
BLS: reduction to CDH problem
CCDH B A
CDH problem EUF-CMA
choose g, x , y g, gx, gy
pk = (g, gx)
H(m) = ?
1choose H(m) suitablyH(m)
Sign(sk , m) = ?
2compute σ suitablyσ
m∗,σ∗
3gxy
Digital Signatures 2020-04-28 17
![Page 35: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/35.jpg)
BLS: reduction to CDH problem
CCDH B A
CDH problem EUF-CMA
choose g, x , y g, gx, gy
pk = (g, gx)
H(m) = ?
1choose H(m) suitablyH(m)
Sign(sk , m) = ?
2compute σ suitablyσ
m∗,σ∗
3gxy
Digital Signatures 2020-04-28 17
![Page 36: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/36.jpg)
BLS: reduction to CDH problem
CCDH B A
CDH problem EUF-CMA
choose g, x , y g, gx, gy
pk = (g, gx)
H(m) = ?
1choose H(m) suitablyH(m)
Sign(sk , m) = ?
2compute σ suitablyσ
m∗,σ∗
3gxy
Digital Signatures 2020-04-28 17
![Page 37: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/37.jpg)
BLS: reduction to CDH problem
CCDH B A
CDH problem EUF-CMA
choose g, x , y g, gx, gy
pk = (g, gx)
H(m) = ?
1
choose H(m) suitablyH(m)
Sign(sk , m) = ?
2compute σ suitablyσ
m∗,σ∗
3gxy
Digital Signatures 2020-04-28 17
![Page 38: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/38.jpg)
BLS: reduction to CDH problem
CCDH B A
CDH problem EUF-CMA
choose g, x , y g, gx, gy
pk = (g, gx)
H(m) = ?
1choose H(m) suitablyH(m)
Sign(sk , m) = ?
2compute σ suitablyσ
m∗,σ∗
3gxy
Digital Signatures 2020-04-28 17
![Page 39: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/39.jpg)
BLS: reduction to CDH problem
CCDH B A
CDH problem EUF-CMA
choose g, x , y g, gx, gy
pk = (g, gx)
H(m) = ?
1choose H(m) suitablyH(m)
Sign(sk , m) = ?
2
compute σ suitablyσ
m∗,σ∗
3gxy
Digital Signatures 2020-04-28 17
![Page 40: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/40.jpg)
BLS: reduction to CDH problem
CCDH B A
CDH problem EUF-CMA
choose g, x , y g, gx, gy
pk = (g, gx)
H(m) = ?
1choose H(m) suitablyH(m)
Sign(sk , m) = ?
2compute σ suitablyσ
m∗,σ∗
3gxy
Digital Signatures 2020-04-28 17
![Page 41: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/41.jpg)
BLS: reduction to CDH problem
CCDH B A
CDH problem EUF-CMA
choose g, x , y g, gx, gy
pk = (g, gx)
H(m) = ?
1choose H(m) suitablyH(m)
Sign(sk , m) = ?
2compute σ suitablyσ
m∗,σ∗
3
gxy
Digital Signatures 2020-04-28 17
![Page 42: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/42.jpg)
BLS: reduction to CDH problem
CCDH B A
CDH problem EUF-CMA
choose g, x , y g, gx, gy
pk = (g, gx)
H(m) = ?
1choose H(m) suitablyH(m)
Sign(sk , m) = ?
2compute σ suitablyσ
m∗,σ∗
3gxy
Digital Signatures 2020-04-28 17
![Page 43: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/43.jpg)
BLS: reduction details• Choice of H(m) (reduction B can make up H(m) for A!):
– Setting H(mi ) = gyi mod N for known (previously chosen) yi . . .– . . . allows to later output a signature σ := (gx )yi = H(mi )x for mi
– Setting H(m) = gy for the gy from the CDH challenge. . .– . . . means that a signature σ for m solves the CDH challenge
(since σ = H(m)x = gxy mod N)
• Ideally: set H(mi ) = gyi for known yi and all (later) signaturequeries mi ; also set H(m∗) = gy
• Problem: not known which mi are asked to be signed andwhich hash query is m∗
• Solution (as with RSA-FDH): guess index i∗ of hash queryfor which mi∗ = m∗, set H(mi ) = gyi for all queries mi with i 6= i∗
(Reason for loss qH of reduction)
Digital Signatures 2020-04-28 18
![Page 44: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/44.jpg)
BLS: reduction details• Choice of H(m) (reduction B can make up H(m) for A!):
– Setting H(mi ) = gyi mod N for known (previously chosen) yi . . .– . . . allows to later output a signature σ := (gx )yi = H(mi )x for mi
– Setting H(m) = gy for the gy from the CDH challenge. . .– . . . means that a signature σ for m solves the CDH challenge
(since σ = H(m)x = gxy mod N)
• Ideally: set H(mi ) = gyi for known yi and all (later) signaturequeries mi ; also set H(m∗) = gy
• Problem: not known which mi are asked to be signed andwhich hash query is m∗
• Solution (as with RSA-FDH): guess index i∗ of hash queryfor which mi∗ = m∗, set H(mi ) = gyi for all queries mi with i 6= i∗
(Reason for loss qH of reduction)
Digital Signatures 2020-04-28 18
![Page 45: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/45.jpg)
BLS: reduction details• Choice of H(m) (reduction B can make up H(m) for A!):
– Setting H(mi ) = gyi mod N for known (previously chosen) yi . . .– . . . allows to later output a signature σ := (gx )yi = H(mi )x for mi
– Setting H(m) = gy for the gy from the CDH challenge. . .– . . . means that a signature σ for m solves the CDH challenge
(since σ = H(m)x = gxy mod N)
• Ideally: set H(mi ) = gyi for known yi and all (later) signaturequeries mi ; also set H(m∗) = gy
• Problem: not known which mi are asked to be signed andwhich hash query is m∗
• Solution (as with RSA-FDH): guess index i∗ of hash queryfor which mi∗ = m∗, set H(mi ) = gyi for all queries mi with i 6= i∗
(Reason for loss qH of reduction)
Digital Signatures 2020-04-28 18
![Page 46: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/46.jpg)
BLS: reduction details• Choice of H(m) (reduction B can make up H(m) for A!):
– Setting H(mi ) = gyi mod N for known (previously chosen) yi . . .– . . . allows to later output a signature σ := (gx )yi = H(mi )x for mi
– Setting H(m) = gy for the gy from the CDH challenge. . .– . . . means that a signature σ for m solves the CDH challenge
(since σ = H(m)x = gxy mod N)
• Ideally: set H(mi ) = gyi for known yi and all (later) signaturequeries mi ; also set H(m∗) = gy
• Problem: not known which mi are asked to be signed andwhich hash query is m∗
• Solution (as with RSA-FDH): guess index i∗ of hash queryfor which mi∗ = m∗, set H(mi ) = gyi for all queries mi with i 6= i∗
(Reason for loss qH of reduction)
Digital Signatures 2020-04-28 18
![Page 47: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/47.jpg)
BLS: reduction details• Choice of H(m) (reduction B can make up H(m) for A!):
– Setting H(mi ) = gyi mod N for known (previously chosen) yi . . .– . . . allows to later output a signature σ := (gx )yi = H(mi )x for mi
– Setting H(m) = gy for the gy from the CDH challenge. . .– . . . means that a signature σ for m solves the CDH challenge
(since σ = H(m)x = gxy mod N)
• Ideally: set H(mi ) = gyi for known yi and all (later) signaturequeries mi ; also set H(m∗) = gy
• Problem: not known which mi are asked to be signed andwhich hash query is m∗
• Solution (as with RSA-FDH): guess index i∗ of hash queryfor which mi∗ = m∗, set H(mi ) = gyi for all queries mi with i 6= i∗
(Reason for loss qH of reduction)
Digital Signatures 2020-04-28 18
![Page 48: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/48.jpg)
BLS: reduction details• Choice of H(m) (reduction B can make up H(m) for A!):
– Setting H(mi ) = gyi mod N for known (previously chosen) yi . . .– . . . allows to later output a signature σ := (gx )yi = H(mi )x for mi
– Setting H(m) = gy for the gy from the CDH challenge. . .– . . . means that a signature σ for m solves the CDH challenge
(since σ = H(m)x = gxy mod N)
• Ideally: set H(mi ) = gyi for known yi and all (later) signaturequeries mi ; also set H(m∗) = gy
• Problem: not known which mi are asked to be signed andwhich hash query is m∗
• Solution (as with RSA-FDH): guess index i∗ of hash queryfor which mi∗ = m∗, set H(mi ) = gyi for all queries mi with i 6= i∗
(Reason for loss qH of reduction)Digital Signatures 2020-04-28 18
![Page 49: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/49.jpg)
BLS: detailed full reduction
CCDH B A
CDH problem EUF-CMA
choose g, x , y g, gx, gy
pk = (g, gx)
H(mi) = ?
1i 6= i∗ : H(mi ) := gyi
i = i∗ : H(mi ) := gy H(mi )
Sign(sk , mi) = ?
2set σ = (gx )yi
σ
m∗,σ∗
3gxy = σ∗
Digital Signatures 2020-04-28 19
![Page 50: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/50.jpg)
BLS signatures: pros/cons
Pros:
• Short signatures (only one group element)
• Efficient algorithms (although: pairing can be expensive)
• EUF-CMA secure under well-known weak assumption
Cons:
• Security proof only in random oracle model
Digital Signatures 2020-04-28 20
![Page 51: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/51.jpg)
BLS: extra properties
Problem:
• U1, ..., UN senders (e.g., in a sensor network)
• Each Ui has their own pki = (g, gxi )
Straightforward (but expensive!) solution:
U1 with (pk1, sk1)→ m1,σ1
U2 with (pk2, sk2)→ m2,σ2
...
Un with (pkn, skn)→ mn,σn
Verifier∀i : Vfy(pki , mi ,σi )
?= 1
(m1,σ1), ... , (mn,σn)
Digital Signatures 2020-04-28 21
![Page 52: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/52.jpg)
Better solution: aggregable signature scheme
U1
U2
...
Un
aggregator
m1 ,σ1
m2,σ2
. . .
mn,σn
VerifierVfy(pk1, ... , pkn, m1, ... , mn,σAgg) ?= 1
m1, ... , mn,σAgg
• Algorithm that aggregates signatures
• |σAgg| = |σ|• Vfy of single aggregated signature more efficient than Vfy of
many single signatures
Digital Signatures 2020-04-28 22
![Page 53: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/53.jpg)
Aggregable signatures
Advantages and (potential) applications:
• Saves bandwidth/storage
• Aggregating signatures more efficient than signing hugedataset (perhaps over and over again)• Applications:
– Sensor networks– Secure logging– (Authenticating) databases– . . .
Digital Signatures 2020-04-28 23
![Page 54: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/54.jpg)
BLS: aggregability
• Ui has BLS keypair (pki = (g, gxi ), ski = xi )
• Signatures are of the form σi = H(mi )xi
• Aggregator computes
σAgg =n∏
i=1
σi
and sends (m1, ... , mn,σ) to the verifier
• Aggregation is public computation, no secret key necessary
Digital Signatures 2020-04-28 24
![Page 55: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/55.jpg)
BLS: aggregability
• Ui has BLS keypair (pki = (g, gxi ), ski = xi )
• Signatures are of the form σi = H(mi )xi
• Aggregator computes
σAgg =n∏
i=1
σi
and sends (m1, ... , mn,σ) to the verifier
• Aggregation is public computation, no secret key necessary
Digital Signatures 2020-04-28 24
![Page 56: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/56.jpg)
BLS: aggregability
σAgg =n∏
i=1
σi
• Verification of aggregated signatures:
Ideas?
• Correctness:
e(σAgg, g) = e(σ1, g) · ... · e(σn, g)
= e(H(m1)x1 , g) · ... · e(H(mn)xn , g)
=n∏
i=1
e(H(mi ), gxi )
Digital Signatures 2020-04-28 25
![Page 57: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/57.jpg)
BLS: aggregability
σAgg =n∏
i=1
σi
• Verification of aggregated signatures:
e(σAgg, g) ?=n∏
i=1
e(H(mi ), gxi ).
• Correctness:
e(σAgg, g) = e(σ1, g) · ... · e(σn, g)
= e(H(m1)x1 , g) · ... · e(H(mn)xn , g)
=n∏
i=1
e(H(mi ), gxi )
Digital Signatures 2020-04-28 25
![Page 58: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/58.jpg)
BLS: aggregability
σAgg =n∏
i=1
σi
• Verification of aggregated signatures:
e(σAgg, g) ?=n∏
i=1
e(H(mi ), gxi ).
• Correctness:
e(σAgg, g) = e(σ1, g) · ... · e(σn, g)
= e(H(m1)x1 , g) · ... · e(H(mn)xn , g)
=n∏
i=1
e(H(mi ), gxi )
Digital Signatures 2020-04-28 25
![Page 59: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/59.jpg)
BLS: aggregability
• Verification time approximately halved:– No aggregation: verifying n signatures takes 2n pairing
computations– Aggregated: verifying aggregated signature for n messages
takes n + 1 pairing computations
• Scheme with aggregation EUF-CMA secure– . . . according to adapted EUF-CMA definition– Difference: allow aggregated forgery– Generalizes “ordinary” EUF-CMA
Digital Signatures 2020-04-28 26
![Page 60: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/60.jpg)
BLS: batch verification
Problem:
U with (pk , sk )Verifier∀i : Vfy(pki , mi ,σi )
?= 1
(m1,σ1), ... , (mn,σn)
Solution: batch verification
• σ1, ... ,σn signatures for m1, ... , mn
• h =∏n
i=1 H(mi ), σ :=∏n
i=1 σi
• Checke(σ, g) ?= e(h, gx )
• Correctness: as with aggregation
• Only two pairing computations for n signatures
Digital Signatures 2020-04-28 27
![Page 61: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/61.jpg)
BLS: batch verification
Problem:
U with (pk , sk )Verifier∀i : Vfy(pki , mi ,σi )
?= 1
(m1,σ1), ... , (mn,σn)
Solution: batch verification
• σ1, ... ,σn signatures for m1, ... , mn
• h =∏n
i=1 H(mi ), σ :=∏n
i=1 σi
• Checke(σ, g) ?= e(h, gx )
• Correctness: as with aggregation
• Only two pairing computations for n signatures
Digital Signatures 2020-04-28 27
![Page 62: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/62.jpg)
Research
• Different forms of aggregation– Sequential aggregation (→Waters signatures), full aggregation
(BLS), . . .– Reason: weaker forms of aggregation easier to achieve (without
RO)
• “Universal aggregators” (aggregation across signatureschemes)• Fault-tolerant aggregate signatures
– Aggregating an invalid signatures invalidates aggregate– But: sometimes useful to be able to tell which message has
invalid signature– → Vfy outputs list of valid signatures
Digital Signatures 2020-04-28 28
![Page 63: Digital Signatures · 2020-04-28 · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-28 1. Outline ... 1](https://reader034.vdocument.in/reader034/viewer/2022042403/5f16a76d1ff8a62f181c8435/html5/thumbnails/63.jpg)
Socrative
Self-checking with quizzes
• Use following URL: https://b.socrative.com/login/student
• . . . and enter room “HOFHEINZ8872”
• Will also be in chat (so you can click on link)
• No registration necessary
• Quiz about CDH and BLS starts now!
Digital Signatures 2020-04-28 29