Results 1  10
of
11
Batch verification of short signatures
 In Proceedings of Eurocrypt 2007
, 2007
"... With computer networks spreading into a variety of new environments, the need to authenticate and secure communication grows. Many of these new environments have particular requirements on the applicable cryptographic primitives. For instance, a frequent requirement is that the communication overhea ..."
Abstract

Cited by 23 (3 self)
 Add to MetaCart
With computer networks spreading into a variety of new environments, the need to authenticate and secure communication grows. Many of these new environments have particular requirements on the applicable cryptographic primitives. For instance, a frequent requirement is that the communication overhead inflicted be small and that many messages be processable at the same time. In this paper, we consider the suitability of public key signatures in the latter scenario. That is, we consider signatures that are 1) short and 2) where many signatures from (possibly) different signers on (possibly) different messages can be verified quickly. Prior work focused almost exclusively on batching signatures from the same signer. We propose the first batch verifier for messages from many (certified) signers without random oracles and with a verification time where the dominant operation is independent of the number of signatures to verify. We further propose a new signature scheme with very short signatures, for which batch verification for many signers is also highly efficient. Combining our new signatures with the best known techniques for batching certificates from the same authority, we get a fast batch verifier for certificates and messages combined. Although our new signature scheme has some restrictions, it is very efficient and still practical for some communication applications. 1
On the Practicality of Short Signature Batch Verification
"... Abstract. As pervasive communication becomes a reality, where everything from vehicles to heart monitors constantly communicate with their environments, system designers are facing a cryptographic puzzle on how to authenticate messages. These scenarios require that: (1) cryptographic overhead remain ..."
Abstract

Cited by 19 (1 self)
 Add to MetaCart
(Show Context)
Abstract. As pervasive communication becomes a reality, where everything from vehicles to heart monitors constantly communicate with their environments, system designers are facing a cryptographic puzzle on how to authenticate messages. These scenarios require that: (1) cryptographic overhead remain short, and yet (2) many messages from many different signers be verified very quickly. Pairingbased signatures have property (1) but not (2), whereas schemes like RSA have property (2) but not (1). As a solution to this dilemma, in Eurocrypt 2007, Camenisch, Hohenberger and Pedersen showed how to batch verify two pairingbased signatures so that the total number of pairing operations was independent of the number of signatures to verify. CHP left open the task of batching privacyfriendly authentication, which is desirable in many pervasive communication scenarios. In this work, we revisit this issue from a more practical standpoint and present the following results: 1. We describe a framework, consisting of general techniques, to help scheme and system designers understand how to securely and efficiently batch the verification of pairing equations. 2. We present a detailed study of when and how our framework can be applied to existing regular, identitybased, group, ring, and aggregate signature schemes. To our knowledge, these batch verifiers for group and ring signatures are the first proposals for batching privacyfriendly authentication, answering an open problem of Camenisch et al. 3. While prior work gave mostly asymptotic efficiency comparisons, we show that our framework is practical by implementing our techniques and giving detailed performance measurements. Additionally, we discuss how to deal with invalid signatures in a batch and our empirical results show that when ≤ 10 % of signatures are invalid, batching remains more efficient that individual verification. Indeed, our results show that batch verification for short signatures is an effective, efficient approach. 1
Verifiable Random Functions from Weaker Assumptions?
"... Abstract. The construction of a verifiable random function (VRF) with large input space and full adaptive security from a static, noninteractive complexity assumption, like decisional DiffieHellman, has proven to be a challenging task. To date it is not even clear that such a VRF exists. Most kn ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
Abstract. The construction of a verifiable random function (VRF) with large input space and full adaptive security from a static, noninteractive complexity assumption, like decisional DiffieHellman, has proven to be a challenging task. To date it is not even clear that such a VRF exists. Most known constructions either allow only a small input space of polynomiallybounded size, or do not achieve full adaptive security under a static, noninteractive complexity assumption. The only known constructions without these restrictions are based on nonstatic, socalled “qtype ” assumptions, which are parametrized by an integer q. Since qtype assumptions get stronger with larger q, it is desirable to have q as small as possible. In current constructions, q is either a polynomial (e.g., Hohenberger and Waters, Eurocrypt 2010) or at least linear (e.g., Boneh et al., CCS 2010) in the security parameter. We show that it is possible to construct relatively simple and efficient verifiable random functions with full adaptive security and large input space from noninteractive qtype assumptions, where q is only logarithmic in the security parameter. Interestingly, our VRF is essentially identical to the verifiable unpredictable function (VUF) by Lysyanskaya (Crypto 2002), but very different from Lysyanskaya’s VRF from the same paper. Thus, our result can also be viewed as a new, direct VRFsecurity proof for Lysyanskaya’s VUF. As a technical tool, we introduce and construct balanced admissible hash functions. 1
MachineGenerated Algorithms, Proofs and Software for the Batch Verification of Digital Signature Schemes
, 2013
"... As devices everywhere increasingly communicate with each other, many security applications will require lowbandwidth signatures that can be processed quickly. Pairingbased signatures can be very short, but are often costly to verify. Fortunately, they also tend to have efficient batch verification ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
As devices everywhere increasingly communicate with each other, many security applications will require lowbandwidth signatures that can be processed quickly. Pairingbased signatures can be very short, but are often costly to verify. Fortunately, they also tend to have efficient batch verification algorithms. Finding these batching algorithms by hand, however, can be tedious and error prone. We address this by presenting AutoBatch, an automated tool for generating batch verification code in either Python or C++ from a high level representation of a signature scheme. AutoBatch outputs both software and, for transparency, a LaTeX file describing the batching algorithm and arguing that it preserves the unforgeability of the original scheme. We tested AutoBatch on over a dozen pairingbased schemes to demonstrate that a computer could find competitive batching solutions in a reasonable amount of time. Indeed, it proved highly competitive. In particular, it found an algorithm that is significantly faster than a batching algorithm from Eurocrypt 2010. Another novel contribution is that it handles crossscheme batching, where it searches for a common algebraic structure between two distinct schemes and attempts to batch them together. In this work, we expand upon an extended abstract on AutoBatch appearing in ACM CCS 2012 in a number of ways. We add a new loopunrolling technique and show that it helps cut the batch verification cost of one scheme by roughly half. We describe our pruning and search algorithms in greater detail, including pseudocode and diagrams. All experiments were also rerun using the RELIC pairing library. We compare those results to our earlier results using the MIRACL library, and discuss why RELIC outperforms MIRACL in all but two cases. Automated proofs of several new batching algorithms are also included. AutoBatch is a useful tool for cryptographic designers and implementors, and to our knowledge, it is the first attempt to outsource to machines the design, proof writing and implementation of signature batch verification schemes. 1
Practical Hybrid (Hierarchical) IdentityBased Encryption Schemes Based on the Decisional Bilinear DiffieHellman Assumption
"... Abstract. At Eurocrypt 2005, Waters proposed an efficient identitybased encryption (IBE) scheme and its extension to a hierarchical IBE (HIBE). We describe a (H)IBE scheme which improves upon Waters scheme by significantly reducing the size of the public parameters. The reduction is based on two id ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
Abstract. At Eurocrypt 2005, Waters proposed an efficient identitybased encryption (IBE) scheme and its extension to a hierarchical IBE (HIBE). We describe a (H)IBE scheme which improves upon Waters scheme by significantly reducing the size of the public parameters. The reduction is based on two ideas. The first idea involves partitioning nbit identities into lbit blocks while the second idea involves reusing public parameters over different levels of a HIBE. The basic HIBE scheme is CPAsecure and yields a (hierarchical identitybased) signature scheme. Modification of the basic HIBE scheme using ideas from the work of Boyen, Mei and Waters yields a CCAsecure hybrid HIBE scheme. Further, by appropriately using symmetric key authentication, we are able to eliminate costly pairing operations from the decryption algorithm. The protocols and the security arguments are recast in the most efficient pairing setting, i.e., the Type 3 setting. Using the asymmetric pairing setting leads to several variants of the basic protocol with associated tradeoff in the ciphertext overhead and public parameter size. We also incorporate with a small improvement the probabilty analysis that was recently put forth by Bellare and Ristenpart to remove the need of “artificial abort ” in the original security argument of Waters IBE. For 80bit or 128bit security levels, the variants of the (H)IBE schemes that we obtain are currently the most efficient and practical among all other schemes which achieve similar security under a static assumption such as the hardness of decisional bilinear
Simplified Proof and Improved Concrete Security for Waters ’ IBE Scheme
, 2009
"... Waters ’ variant of the BonehBoyen IBE scheme is attractive because of its efficency, applications, and security attributes, but suffers from a relatively complex proof with poor concrete security. This is due in part to the proof’s “artificial abort ” step, which has then been inherited by numerou ..."
Abstract
 Add to MetaCart
Waters ’ variant of the BonehBoyen IBE scheme is attractive because of its efficency, applications, and security attributes, but suffers from a relatively complex proof with poor concrete security. This is due in part to the proof’s “artificial abort ” step, which has then been inherited by numerous derivative works. It has often been asked whether this step is necessary. We show that it is not, providing a new proof that eliminates this step. The new proof is not only simpler than the original one but offers better concrete security for important ranges of the parameters.
Practical Short Signature Batch Verification
, 2009
"... In many applications, it is desirable to work with signatures that are both short, and yet where many messages from different signers be verified very quickly. RSA signatures satisfy the latter condition, but are generally thousands of bits in length. Recent developments in pairingbased cryptography ..."
Abstract
 Add to MetaCart
(Show Context)
In many applications, it is desirable to work with signatures that are both short, and yet where many messages from different signers be verified very quickly. RSA signatures satisfy the latter condition, but are generally thousands of bits in length. Recent developments in pairingbased cryptography produced a number of “short ” signatures which provide equivalent security in a fraction of the space. Unfortunately, verifying these signatures is computationally intensive due to the expensive pairing operation. In an attempt to simultaneously achieve “short and fast ” signatures, Camenisch, Hohenberger and Pedersen (Eurocrypt 2007) showed how to batch verify two pairingbased schemes so that the total number of pairings was independent of the number of signatures to verify. In this work, we present both theoretical and practical contributions. On the theoretical side, we introduce new batch verifiers for a wide variety of regular, identitybased, group, ring and aggregate signature schemes. These are the first constructions for batching group signatures, which answers an open problem of Camenisch et al. On the practical side, we implement each of these algorithms and compare each batching algorithm to doing individual verifications. Our goal is to test whether batching is practical; that is, whether the benefits of removing pairings significantly outweigh the cost of the additional operations required for batching, such as group membership testing, randomness generation, and additional modular exponentiations and multiplications. We experimentally verify that the theoretical results of Camenisch et al. and this work, indeed, provide an efficient, effective approach to verifying multiple signatures from (possibly) different signers. 1
Efficient (Anonymous) Compact HIBE From Standard Assumptions
"... Abstract. We present two hierarchical identitybased encryption (HIBE) schemes, denoted as H1 and H2, from Type3 pairings with constant sized ciphertexts. Scheme H1 achieves anonymity while H2 is nonanonymous. The constructions are obtained by extending the IBE scheme recently proposed by Jutla an ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. We present two hierarchical identitybased encryption (HIBE) schemes, denoted as H1 and H2, from Type3 pairings with constant sized ciphertexts. Scheme H1 achieves anonymity while H2 is nonanonymous. The constructions are obtained by extending the IBE scheme recently proposed by Jutla and Roy (Asiacrypt 2013). Security is based on the standard decisional Symmetric eXternal DiffieHellman (SXDH) assumption. In terms of provable security properties, previous direct constructions of constantsize ciphertext HIBE had one or more of the following drawbacks: security in the weaker model of selectiveidentity attacks; exponential security degradation in the depth of the HIBE; and use of nonstandard assumptions. The security arguments for H1 and H2 avoid all of these drawbacks. These drawbacks can also be avoided by obtaining HIBE schemes by specialising schemes for hierarchical inner product encryption; the downside is that the resulting efficiencies are inferior to those of the schemes reported here. Currently, there is no known anonymous HIBE scheme having the security properties of H1 and comparable efficiency. An independent work by Chen and Wee describes a nonanonymous HIBE scheme with security claims and efficiency similar to that of H2; we note though that in comparison to H2, the ChenWee HIBE scheme has larger ciphertexts and less efficient encryption and decryption algorithms. Based on the current stateoftheart, H1 and H2 are the schemes of choice for efficient implementation of (anonymous) HIBE constructions.
unknown title
"... Abstract With computer networks spreading into a variety of new environments, the need to authenticate and secure communication grows. Many of these new environments have particular requirements on the applicable cryptographic primitives. For instance, several applications require that communicati ..."
Abstract
 Add to MetaCart
Abstract With computer networks spreading into a variety of new environments, the need to authenticate and secure communication grows. Many of these new environments have particular requirements on the applicable cryptographic primitives. For instance, several applications require that communication overhead be small and that many messages be processed at the same time. In this paper we consider the suitability of public key signatures in the latter scenario.That is, we consider signatures that are 1) short and 2) where many signatures from (possibly) different signers on (possibly) different messages can be verified quickly. Prior work focusedalmost exclusively on batching signatures from the same signer. We propose the first batch verifier for messages from many (certified) signers without randomoracles and with a verification time where the dominant operation is independent of the number of signatures to verify. We further propose a new signature scheme with very short signatures, forwhich batch verification for many signers is also highly efficient. Combining our new signatures with the best known techniques for batching certificates from the same authority, we get a fastbatch verifier for certificates and messages combined. Although our new signature scheme has some restrictions, it is very efficient and still practical for some communication applications. 1 Introduction As the world moves towards pervasive computing and communication, devices from vehicles to dog collars will soon be expected to communicate with their environments. For example, many governments and industry consortia are currently planning for the future of intelligent cars that constantly communicate with each other and the transportation infrastructure to prevent accidents and to help alleviate traffic congestion [15, 46]. Raya and Hubaux suggest that vehicles will transmit safety messages every 300ms to all other vehicles within a minimum range of 110 meters [45], which in turn may retransmit these messages.
Construction of a Hybrid (Hierarchical) IdentityBased Encryption Protocol Secure Against Adaptive Attacks
"... Abstract. The current work considers the problem of obtaining a hierarchical identitybased encryption (HIBE) protocol which is secure against adaptive key extraction and decryption queries. Such a protocol is obtained by modifying an earlier protocol by Chatterjee and Sarkar (which, in turn, is bas ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. The current work considers the problem of obtaining a hierarchical identitybased encryption (HIBE) protocol which is secure against adaptive key extraction and decryption queries. Such a protocol is obtained by modifying an earlier protocol by Chatterjee and Sarkar (which, in turn, is based on a protocol due to Waters) which is secure only against adaptive key extraction queries. The setting is quite general in the sense that random oracles are not used and security is based on the hardness of the decisional bilinear DiffieHellman (DBDH) problem. In this setting, the new construction provides the most efficient (H)IBE protocol known till date. The technique for answering decryption queries in the proof is based on earlier work by Boyen, Mei and Waters. Ciphertext validity testing is done indirectly through a symmetric authentication algorithm in a manner similar to the KurosawaDesmedt public key encryption protocol. Additionally, we perform symmetric encryption and authentication by a single authenticated encryption algorithm 3.