digital signatures · 2020-04-28 · digital signatures dennis hofheinz (slides based on slides by...
TRANSCRIPT
Digital SignaturesDennis Hofheinz (slides based on slides by Björn Kaidel and GunnarHartung)
Digital Signatures 2020-04-28 1
Outline
Pairings
Boneh-Lynn-Shacham (BLS) signatures
Digital Signatures 2020-04-28 2
Pairings
Definition 78 (Pairings):Let G1,G2,GT be groups of prime order p. A pairing is a map
e : G1 ×G2 → GT
with the following properties:
1) Bilinearity: ∀g1, g′1 ∈ G1, g2, g′2 ∈ G2 :
e(g1 · g′1, g2) = e(g1, g2) · e(g′1, g2)
e(g1, g2 · g′2) = e(g1, g2) · e(g1, g′2)
⇒ e(ga1 , g2) = e(g1, g2)a = e(g1, ga
2 )enables one multiplication in the exponent.
Digital Signatures 2020-04-28 3
Pairings
Definition 78 (Pairings):Let G1,G2,GT be groups of prime order p. A pairing is a map
e : G1 ×G2 → GT
with the following properties:
1) Bilinearity: ∀g1, g′1 ∈ G1, g2, g′2 ∈ G2 :
e(g1 · g′1, g2) = e(g1, g2) · e(g′1, g2)
e(g1, g2 · g′2) = e(g1, g2) · e(g1, g′2)
⇒ e(ga1 , g2) = e(g1, g2)a = e(g1, ga
2 )enables one multiplication in the exponent.
Digital Signatures 2020-04-28 3
Pairings
Definition 78 (Pairings):Let G1,G2,GT be groups of prime order p. A pairing is a map
e : G1 ×G2 → GT
with the following properties:
1) Bilinearity: ∀g1, g′1 ∈ G1, g2, g′2 ∈ G2 :
e(g1 · g′1, g2) = e(g1, g2) · e(g′1, g2)
e(g1, g2 · g′2) = e(g1, g2) · e(g1, g′2)
⇒ e(ga1 , g2) = e(g1, g2)a = e(g1, ga
2 )enables one multiplication in the exponent.
Digital Signatures 2020-04-28 3
Pairings
2) Non-degeneracy: for all generators g1 ∈ G1, g2 ∈ G2:
e(g1, g2) generates GT
(|GT |prime⇐⇒ e(g1, g2) 6= 1
)
3) e efficiently computable
Note: there are also pairings over groups of non-prime order.
Digital Signatures 2020-04-28 4
Pairings
2) Non-degeneracy: for all generators g1 ∈ G1, g2 ∈ G2:
e(g1, g2) generates GT
(|GT |prime⇐⇒ e(g1, g2) 6= 1
)
3) e efficiently computable
Note: there are also pairings over groups of non-prime order.
Digital Signatures 2020-04-28 4
Pairings
2) Non-degeneracy: for all generators g1 ∈ G1, g2 ∈ G2:
e(g1, g2) generates GT
(|GT |prime⇐⇒ e(g1, g2) 6= 1
)
3) e efficiently computable
Note: there are also pairings over groups of non-prime order.
Digital Signatures 2020-04-28 4
Pairings: remarks
• G1,G2 often elliptic curves (“source groups”)
• GT ⊆ F∗Q (“target group”)
• Pairing operation less efficient than exponentiation
Original (cryptographic) application:
• Cryptanalysis• Example: assuming DLog easier in GT than in Gi , then e helps
to “lift/push” DLog problem from Gi to GT
– given gx1 ∈ G1, find x
– compute e(gx1 , g2) = e(g1, g2)x , and then DLog of e(g1, g2)x in
GT
• Some assumptions (like DDH) do not hold in G1 if G1 = G2
Digital Signatures 2020-04-28 5
Pairings: remarks
• G1,G2 often elliptic curves (“source groups”)
• GT ⊆ F∗Q (“target group”)
• Pairing operation less efficient than exponentiation
Original (cryptographic) application:
• Cryptanalysis• Example: assuming DLog easier in GT than in Gi , then e helps
to “lift/push” DLog problem from Gi to GT
– given gx1 ∈ G1, find x
– compute e(gx1 , g2) = e(g1, g2)x , and then DLog of e(g1, g2)x in
GT
• Some assumptions (like DDH) do not hold in G1 if G1 = G2
Digital Signatures 2020-04-28 5
Types of Pairings
Type 1: G1 = G2, “symmetric pairing” e : G×G→ GT
Type 2: G1 6= G2, “asymmetric pairing”There is an efficient nontrivial homomorphism
ψ : G2 → G1
Type 3: G1 6= G2, “asymmetric pairing”There is no efficient nontrivial homomorphism
ψ : G2 → G1
Note: here, we mainly consider type-1 pairings
Digital Signatures 2020-04-28 6
Types of Pairings
Type 1: G1 = G2, “symmetric pairing” e : G×G→ GT
Type 2: G1 6= G2, “asymmetric pairing”There is an efficient nontrivial homomorphism
ψ : G2 → G1
Type 3: G1 6= G2, “asymmetric pairing”There is no efficient nontrivial homomorphism
ψ : G2 → G1
Note: here, we mainly consider type-1 pairings
Digital Signatures 2020-04-28 6
Types of Pairings
Type 1: G1 = G2, “symmetric pairing” e : G×G→ GT
Type 2: G1 6= G2, “asymmetric pairing”There is an efficient nontrivial homomorphism
ψ : G2 → G1
Type 3: G1 6= G2, “asymmetric pairing”There is no efficient nontrivial homomorphism
ψ : G2 → G1
Note: here, we mainly consider type-1 pairings
Digital Signatures 2020-04-28 6
Types of Pairings
Type 1: G1 = G2, “symmetric pairing” e : G×G→ GT
Type 2: G1 6= G2, “asymmetric pairing”There is an efficient nontrivial homomorphism
ψ : G2 → G1
Type 3: G1 6= G2, “asymmetric pairing”There is no efficient nontrivial homomorphism
ψ : G2 → G1
Note: here, we mainly consider type-1 pairings
Digital Signatures 2020-04-28 6
Pairings: research
• Pairings already very powerful (we will see examples)
• Multilinear maps (for more source groups) would be even morepowerful
• 2012: Garg, Gentry, Halevi “Candidate Multilinear Maps fromIdeal Lattices and Applications”
• Since then many MLM candidates, attacks, improvements,applications. . .
Digital Signatures 2020-04-28 7
Joux’s 3-party key exchange
• Like Diffie-Hellman key exchange, but for 3 parties A, B, C
• That means A, B, C end up with common shared key
• e : G×G→ GT , g generates G, |G| = |GT | = p prime
Digital Signatures 2020-04-28 8
Joux’s 3-party key exchange
A
B C
a← Zp
b ← Zp c ← Zp
ga g a
ga ga
gb
gb
gb
ga, gb
g c
gc
gb, gc
ga, gc
k = e(gb, gc)a = e(g, g)abc
k = e(ga, gc)b = e(g, g)abc k = e(ga, gb)c = e(g, g)abc
• Shared key is k = e(g, g)abc
• Order of exchanged messages does not matter• (Multilinear map→ more parties)
Digital Signatures 2020-04-28 9
Joux’s 3-party key exchange
A
B C
a← Zp
b ← Zp c ← Zp
ga g a
ga ga
gb
gb
gb
ga, gb
g c
gc
gb, gc
ga, gc
k = e(gb, gc)a = e(g, g)abc
k = e(ga, gc)b = e(g, g)abc k = e(ga, gb)c = e(g, g)abc
• Shared key is k = e(g, g)abc
• Order of exchanged messages does not matter• (Multilinear map→ more parties)
Digital Signatures 2020-04-28 9
Joux’s 3-party key exchange
A
B C
a← Zp
b ← Zp c ← Zp
ga g a
ga ga
gb
gb
gb
ga, gb
g c
gc
gb, gc
ga, gc
k = e(gb, gc)a = e(g, g)abc
k = e(ga, gc)b = e(g, g)abc k = e(ga, gb)c = e(g, g)abc
• Shared key is k = e(g, g)abc
• Order of exchanged messages does not matter• (Multilinear map→ more parties)
Digital Signatures 2020-04-28 9
Joux’s 3-party key exchange
A
B C
a← Zp
b ← Zp c ← Zp
ga g a
ga
ga
gb
gb
gb
ga, gb
g c
gc
gb, gc
ga, gc
k = e(gb, gc)a = e(g, g)abc
k = e(ga, gc)b = e(g, g)abc k = e(ga, gb)c = e(g, g)abc
• Shared key is k = e(g, g)abc
• Order of exchanged messages does not matter• (Multilinear map→ more parties)
Digital Signatures 2020-04-28 9
Joux’s 3-party key exchange
A
B C
a← Zp
b ← Zp c ← Zp
ga g a
ga ga
gb
gb
gb
ga, gb
g c
gc
gb, gc
ga, gc
k = e(gb, gc)a = e(g, g)abc
k = e(ga, gc)b = e(g, g)abc k = e(ga, gb)c = e(g, g)abc
• Shared key is k = e(g, g)abc
• Order of exchanged messages does not matter• (Multilinear map→ more parties)
Digital Signatures 2020-04-28 9
Joux’s 3-party key exchange
A
B C
a← Zp
b ← Zp c ← Zp
ga g a
ga ga
gb
gb
gb
ga, gb
g c
gc
gb, gc
ga, gc
k = e(gb, gc)a = e(g, g)abc
k = e(ga, gc)b = e(g, g)abc k = e(ga, gb)c = e(g, g)abc
• Shared key is k = e(g, g)abc
• Order of exchanged messages does not matter• (Multilinear map→ more parties)
Digital Signatures 2020-04-28 9
Joux’s 3-party key exchange
A
B C
a← Zp
b ← Zp c ← Zp
ga g a
ga ga
gb
gb
gb
ga, gb
g c
gc
gb, gc
ga, gc
k = e(gb, gc)a = e(g, g)abc
k = e(ga, gc)b = e(g, g)abc k = e(ga, gb)c = e(g, g)abc
• Shared key is k = e(g, g)abc
• Order of exchanged messages does not matter• (Multilinear map→ more parties)
Digital Signatures 2020-04-28 9
Socrative
Self-checking with quizzes
• Use following URL: https://b.socrative.com/login/student
• . . . and enter room “HOFHEINZ8872”
• Will also be in chat (so you can click on link)
• No registration necessary
• Quiz about pairings starts now!
Digital Signatures 2020-04-28 10
Boneh-Lynn-Shacham signatures
• Simple pairing-based signature scheme
• Short signatures
• EUF-CMA secure in random oracle model
In the following:
• G,GT groups, |G| = |GT | = p prime, 〈g〉 = G• e : G×G→ GT pairing
• Hash function H : {0, 1}∗ → G \ {1}
Digital Signatures 2020-04-28 11
BLS signatures
Gen(1k ) :
• x ← Z∗p• pk = (g, gx ), sk = x
Sign(sk , m) :
• σ := H(m)x ∈ G
Vfy(pk , m,σ) :
• e(H(m), gx ) ?= e(σ, g)
Correctness:
e(H(m), gx ) = e(H(m), g)x = e(H(m)x , g) = e(σ, g)
Digital Signatures 2020-04-28 12
BLS signatures
Gen(1k ) :
• x ← Z∗p• pk = (g, gx ), sk = x
Sign(sk , m) :
• σ := H(m)x ∈ G
Vfy(pk , m,σ) :
• e(H(m), gx ) ?= e(σ, g)
Correctness:
e(H(m), gx ) = e(H(m), g)x = e(H(m)x , g) = e(σ, g)
Digital Signatures 2020-04-28 12
The computational Diffie-Hellman (CDH) problem
• Given (g, gx , gy ), compute gxy (for random g and x , y ← Z∗p).
CDH assumption:
• ∀ PPT A:
Pr[g random, x , y ← Z∗p : A(1k , g, gx , gy ) = gxy ]
is negligible.
Note: group G and order p may depend on security parameter k .
Digital Signatures 2020-04-28 13
The computational Diffie-Hellman (CDH) problem
• Given (g, gx , gy ), compute gxy (for random g and x , y ← Z∗p).
CDH assumption:
• ∀ PPT A:
Pr[g random, x , y ← Z∗p : A(1k , g, gx , gy ) = gxy ]
is negligible.
Note: group G and order p may depend on security parameter k .
Digital Signatures 2020-04-28 13
BLS signatures: security
Theorem 85:Assuming H is modeled as a random oracle, then
• for every adversary A that breaks the EUF-CMA security of theBLS signature scheme in time tA with success εA,
• there is an adversary B that solves the CDH problem in G intime tB ≈ tA with success
εB ≥εA
qH,
where qH is the number of random oracle queries A makes.
Proof idea: conceptually very similar to RSA-FDH, details up next.
Digital Signatures 2020-04-28 14
BLS: security proof
Simulation/reduction strategy:
• A has to explicitly query H for hash values (also for m∗)
• Intercept these queries and simulate RO for A
• B can implement RO for A as follows:– guess index i∗ of message for which A forges a signature (i.e.,
guess when m∗ is being queried)– choose hash values hi (for i 6= i∗) such that signature is known– embed (part of) CDH challenge into hi∗ as hi∗ = gy (for the last
part of the given CDH challenge g, gx , gy )
Digital Signatures 2020-04-28 15
BLS: security proof
Simulation/reduction strategy:
• A has to explicitly query H for hash values (also for m∗)
• Intercept these queries and simulate RO for A
• B can implement RO for A as follows:– guess index i∗ of message for which A forges a signature (i.e.,
guess when m∗ is being queried)– choose hash values hi (for i 6= i∗) such that signature is known– embed (part of) CDH challenge into hi∗ as hi∗ = gy (for the last
part of the given CDH challenge g, gx , gy )
Digital Signatures 2020-04-28 15
BLS: security proof
• Assume that A outputs valid forgery (m∗,σ∗).• We will assume (wlog) that A has always queried H(m∗).
– Given an A that sometimes does not query H(m∗), canconstruct an A′ that always does before submitting forgery
Digital Signatures 2020-04-28 16
BLS: reduction to CDH problem
CCDH B A
CDH problem EUF-CMA
choose g, x , y g, gx, gy
pk = (g, gx)
H(m) = ?
1choose H(m) suitablyH(m)
Sign(sk , m) = ?
2compute σ suitablyσ
m∗,σ∗
3gxy
Digital Signatures 2020-04-28 17
BLS: reduction to CDH problem
CCDH B A
CDH problem EUF-CMA
choose g, x , y g, gx, gy
pk = (g, gx)
H(m) = ?
1choose H(m) suitablyH(m)
Sign(sk , m) = ?
2compute σ suitablyσ
m∗,σ∗
3gxy
Digital Signatures 2020-04-28 17
BLS: reduction to CDH problem
CCDH B A
CDH problem EUF-CMA
choose g, x , y g, gx, gy
pk = (g, gx)
H(m) = ?
1choose H(m) suitablyH(m)
Sign(sk , m) = ?
2compute σ suitablyσ
m∗,σ∗
3gxy
Digital Signatures 2020-04-28 17
BLS: reduction to CDH problem
CCDH B A
CDH problem EUF-CMA
choose g, x , y g, gx, gy
pk = (g, gx)
H(m) = ?
1
choose H(m) suitablyH(m)
Sign(sk , m) = ?
2compute σ suitablyσ
m∗,σ∗
3gxy
Digital Signatures 2020-04-28 17
BLS: reduction to CDH problem
CCDH B A
CDH problem EUF-CMA
choose g, x , y g, gx, gy
pk = (g, gx)
H(m) = ?
1choose H(m) suitablyH(m)
Sign(sk , m) = ?
2compute σ suitablyσ
m∗,σ∗
3gxy
Digital Signatures 2020-04-28 17
BLS: reduction to CDH problem
CCDH B A
CDH problem EUF-CMA
choose g, x , y g, gx, gy
pk = (g, gx)
H(m) = ?
1choose H(m) suitablyH(m)
Sign(sk , m) = ?
2
compute σ suitablyσ
m∗,σ∗
3gxy
Digital Signatures 2020-04-28 17
BLS: reduction to CDH problem
CCDH B A
CDH problem EUF-CMA
choose g, x , y g, gx, gy
pk = (g, gx)
H(m) = ?
1choose H(m) suitablyH(m)
Sign(sk , m) = ?
2compute σ suitablyσ
m∗,σ∗
3gxy
Digital Signatures 2020-04-28 17
BLS: reduction to CDH problem
CCDH B A
CDH problem EUF-CMA
choose g, x , y g, gx, gy
pk = (g, gx)
H(m) = ?
1choose H(m) suitablyH(m)
Sign(sk , m) = ?
2compute σ suitablyσ
m∗,σ∗
3
gxy
Digital Signatures 2020-04-28 17
BLS: reduction to CDH problem
CCDH B A
CDH problem EUF-CMA
choose g, x , y g, gx, gy
pk = (g, gx)
H(m) = ?
1choose H(m) suitablyH(m)
Sign(sk , m) = ?
2compute σ suitablyσ
m∗,σ∗
3gxy
Digital Signatures 2020-04-28 17
BLS: reduction details• Choice of H(m) (reduction B can make up H(m) for A!):
– Setting H(mi ) = gyi mod N for known (previously chosen) yi . . .– . . . allows to later output a signature σ := (gx )yi = H(mi )x for mi
– Setting H(m) = gy for the gy from the CDH challenge. . .– . . . means that a signature σ for m solves the CDH challenge
(since σ = H(m)x = gxy mod N)
• Ideally: set H(mi ) = gyi for known yi and all (later) signaturequeries mi ; also set H(m∗) = gy
• Problem: not known which mi are asked to be signed andwhich hash query is m∗
• Solution (as with RSA-FDH): guess index i∗ of hash queryfor which mi∗ = m∗, set H(mi ) = gyi for all queries mi with i 6= i∗
(Reason for loss qH of reduction)
Digital Signatures 2020-04-28 18
BLS: reduction details• Choice of H(m) (reduction B can make up H(m) for A!):
– Setting H(mi ) = gyi mod N for known (previously chosen) yi . . .– . . . allows to later output a signature σ := (gx )yi = H(mi )x for mi
– Setting H(m) = gy for the gy from the CDH challenge. . .– . . . means that a signature σ for m solves the CDH challenge
(since σ = H(m)x = gxy mod N)
• Ideally: set H(mi ) = gyi for known yi and all (later) signaturequeries mi ; also set H(m∗) = gy
• Problem: not known which mi are asked to be signed andwhich hash query is m∗
• Solution (as with RSA-FDH): guess index i∗ of hash queryfor which mi∗ = m∗, set H(mi ) = gyi for all queries mi with i 6= i∗
(Reason for loss qH of reduction)
Digital Signatures 2020-04-28 18
BLS: reduction details• Choice of H(m) (reduction B can make up H(m) for A!):
– Setting H(mi ) = gyi mod N for known (previously chosen) yi . . .– . . . allows to later output a signature σ := (gx )yi = H(mi )x for mi
– Setting H(m) = gy for the gy from the CDH challenge. . .– . . . means that a signature σ for m solves the CDH challenge
(since σ = H(m)x = gxy mod N)
• Ideally: set H(mi ) = gyi for known yi and all (later) signaturequeries mi ; also set H(m∗) = gy
• Problem: not known which mi are asked to be signed andwhich hash query is m∗
• Solution (as with RSA-FDH): guess index i∗ of hash queryfor which mi∗ = m∗, set H(mi ) = gyi for all queries mi with i 6= i∗
(Reason for loss qH of reduction)
Digital Signatures 2020-04-28 18
BLS: reduction details• Choice of H(m) (reduction B can make up H(m) for A!):
– Setting H(mi ) = gyi mod N for known (previously chosen) yi . . .– . . . allows to later output a signature σ := (gx )yi = H(mi )x for mi
– Setting H(m) = gy for the gy from the CDH challenge. . .– . . . means that a signature σ for m solves the CDH challenge
(since σ = H(m)x = gxy mod N)
• Ideally: set H(mi ) = gyi for known yi and all (later) signaturequeries mi ; also set H(m∗) = gy
• Problem: not known which mi are asked to be signed andwhich hash query is m∗
• Solution (as with RSA-FDH): guess index i∗ of hash queryfor which mi∗ = m∗, set H(mi ) = gyi for all queries mi with i 6= i∗
(Reason for loss qH of reduction)
Digital Signatures 2020-04-28 18
BLS: reduction details• Choice of H(m) (reduction B can make up H(m) for A!):
– Setting H(mi ) = gyi mod N for known (previously chosen) yi . . .– . . . allows to later output a signature σ := (gx )yi = H(mi )x for mi
– Setting H(m) = gy for the gy from the CDH challenge. . .– . . . means that a signature σ for m solves the CDH challenge
(since σ = H(m)x = gxy mod N)
• Ideally: set H(mi ) = gyi for known yi and all (later) signaturequeries mi ; also set H(m∗) = gy
• Problem: not known which mi are asked to be signed andwhich hash query is m∗
• Solution (as with RSA-FDH): guess index i∗ of hash queryfor which mi∗ = m∗, set H(mi ) = gyi for all queries mi with i 6= i∗
(Reason for loss qH of reduction)
Digital Signatures 2020-04-28 18
BLS: reduction details• Choice of H(m) (reduction B can make up H(m) for A!):
– Setting H(mi ) = gyi mod N for known (previously chosen) yi . . .– . . . allows to later output a signature σ := (gx )yi = H(mi )x for mi
– Setting H(m) = gy for the gy from the CDH challenge. . .– . . . means that a signature σ for m solves the CDH challenge
(since σ = H(m)x = gxy mod N)
• Ideally: set H(mi ) = gyi for known yi and all (later) signaturequeries mi ; also set H(m∗) = gy
• Problem: not known which mi are asked to be signed andwhich hash query is m∗
• Solution (as with RSA-FDH): guess index i∗ of hash queryfor which mi∗ = m∗, set H(mi ) = gyi for all queries mi with i 6= i∗
(Reason for loss qH of reduction)Digital Signatures 2020-04-28 18
BLS: detailed full reduction
CCDH B A
CDH problem EUF-CMA
choose g, x , y g, gx, gy
pk = (g, gx)
H(mi) = ?
1i 6= i∗ : H(mi ) := gyi
i = i∗ : H(mi ) := gy H(mi )
Sign(sk , mi) = ?
2set σ = (gx )yi
σ
m∗,σ∗
3gxy = σ∗
Digital Signatures 2020-04-28 19
BLS signatures: pros/cons
Pros:
• Short signatures (only one group element)
• Efficient algorithms (although: pairing can be expensive)
• EUF-CMA secure under well-known weak assumption
Cons:
• Security proof only in random oracle model
Digital Signatures 2020-04-28 20
BLS: extra properties
Problem:
• U1, ..., UN senders (e.g., in a sensor network)
• Each Ui has their own pki = (g, gxi )
Straightforward (but expensive!) solution:
U1 with (pk1, sk1)→ m1,σ1
U2 with (pk2, sk2)→ m2,σ2
...
Un with (pkn, skn)→ mn,σn
Verifier∀i : Vfy(pki , mi ,σi )
?= 1
(m1,σ1), ... , (mn,σn)
Digital Signatures 2020-04-28 21
Better solution: aggregable signature scheme
U1
U2
...
Un
aggregator
m1 ,σ1
m2,σ2
. . .
mn,σn
VerifierVfy(pk1, ... , pkn, m1, ... , mn,σAgg) ?= 1
m1, ... , mn,σAgg
• Algorithm that aggregates signatures
• |σAgg| = |σ|• Vfy of single aggregated signature more efficient than Vfy of
many single signatures
Digital Signatures 2020-04-28 22
Aggregable signatures
Advantages and (potential) applications:
• Saves bandwidth/storage
• Aggregating signatures more efficient than signing hugedataset (perhaps over and over again)• Applications:
– Sensor networks– Secure logging– (Authenticating) databases– . . .
Digital Signatures 2020-04-28 23
BLS: aggregability
• Ui has BLS keypair (pki = (g, gxi ), ski = xi )
• Signatures are of the form σi = H(mi )xi
• Aggregator computes
σAgg =n∏
i=1
σi
and sends (m1, ... , mn,σ) to the verifier
• Aggregation is public computation, no secret key necessary
Digital Signatures 2020-04-28 24
BLS: aggregability
• Ui has BLS keypair (pki = (g, gxi ), ski = xi )
• Signatures are of the form σi = H(mi )xi
• Aggregator computes
σAgg =n∏
i=1
σi
and sends (m1, ... , mn,σ) to the verifier
• Aggregation is public computation, no secret key necessary
Digital Signatures 2020-04-28 24
BLS: aggregability
σAgg =n∏
i=1
σi
• Verification of aggregated signatures:
Ideas?
• Correctness:
e(σAgg, g) = e(σ1, g) · ... · e(σn, g)
= e(H(m1)x1 , g) · ... · e(H(mn)xn , g)
=n∏
i=1
e(H(mi ), gxi )
Digital Signatures 2020-04-28 25
BLS: aggregability
σAgg =n∏
i=1
σi
• Verification of aggregated signatures:
e(σAgg, g) ?=n∏
i=1
e(H(mi ), gxi ).
• Correctness:
e(σAgg, g) = e(σ1, g) · ... · e(σn, g)
= e(H(m1)x1 , g) · ... · e(H(mn)xn , g)
=n∏
i=1
e(H(mi ), gxi )
Digital Signatures 2020-04-28 25
BLS: aggregability
σAgg =n∏
i=1
σi
• Verification of aggregated signatures:
e(σAgg, g) ?=n∏
i=1
e(H(mi ), gxi ).
• Correctness:
e(σAgg, g) = e(σ1, g) · ... · e(σn, g)
= e(H(m1)x1 , g) · ... · e(H(mn)xn , g)
=n∏
i=1
e(H(mi ), gxi )
Digital Signatures 2020-04-28 25
BLS: aggregability
• Verification time approximately halved:– No aggregation: verifying n signatures takes 2n pairing
computations– Aggregated: verifying aggregated signature for n messages
takes n + 1 pairing computations
• Scheme with aggregation EUF-CMA secure– . . . according to adapted EUF-CMA definition– Difference: allow aggregated forgery– Generalizes “ordinary” EUF-CMA
Digital Signatures 2020-04-28 26
BLS: batch verification
Problem:
U with (pk , sk )Verifier∀i : Vfy(pki , mi ,σi )
?= 1
(m1,σ1), ... , (mn,σn)
Solution: batch verification
• σ1, ... ,σn signatures for m1, ... , mn
• h =∏n
i=1 H(mi ), σ :=∏n
i=1 σi
• Checke(σ, g) ?= e(h, gx )
• Correctness: as with aggregation
• Only two pairing computations for n signatures
Digital Signatures 2020-04-28 27
BLS: batch verification
Problem:
U with (pk , sk )Verifier∀i : Vfy(pki , mi ,σi )
?= 1
(m1,σ1), ... , (mn,σn)
Solution: batch verification
• σ1, ... ,σn signatures for m1, ... , mn
• h =∏n
i=1 H(mi ), σ :=∏n
i=1 σi
• Checke(σ, g) ?= e(h, gx )
• Correctness: as with aggregation
• Only two pairing computations for n signatures
Digital Signatures 2020-04-28 27
Research
• Different forms of aggregation– Sequential aggregation (→Waters signatures), full aggregation
(BLS), . . .– Reason: weaker forms of aggregation easier to achieve (without
RO)
• “Universal aggregators” (aggregation across signatureschemes)• Fault-tolerant aggregate signatures
– Aggregating an invalid signatures invalidates aggregate– But: sometimes useful to be able to tell which message has
invalid signature– → Vfy outputs list of valid signatures
Digital Signatures 2020-04-28 28
Socrative
Self-checking with quizzes
• Use following URL: https://b.socrative.com/login/student
• . . . and enter room “HOFHEINZ8872”
• Will also be in chat (so you can click on link)
• No registration necessary
• Quiz about CDH and BLS starts now!
Digital Signatures 2020-04-28 29