predicate-preserving collision-resistant hashing

Predicate-Preserving Collision-Resistant Hashing

Philippe Camacho

November 18, 2013

Advisor Alejandro Hevia

Co-advisor Jérémy Barbay

Committee

Marcos Kiwi

Gonzalo Navarro

Gregory Neven

http://www.theguardian.com/business/2013/apr/23/ap-tweet-hack-wall-street-freefall












Motivation

Database

Cloud Alice

I need to outsource my database for

scaling reasons

How can I be sure that I obtain Bob’s

database data and not something else?

We need to handle a short representation of the database.

Bob

Collision-Resistance

V

If 𝑋 ≠ 𝑋′ and 𝐻 𝑋 = 𝐻 𝑋’ then

the adversary has found a collision.

openssl.tar.gz

File’

𝑋 =

𝑋′ =

Cryptology = Algorithms ∩ Security

Algorithms Security

Cryptology

This Thesis

Programming Languages

Operating Systems

Networks

Distributed Systems

Databases Data-

structures

Hash Functions

Computer Science

Digital Signatures

Why Collision-Resistance is not enough

𝑆 = 0111100111111111 𝑆𝐻𝐴 − 3(𝑆)

How can I convince (efficiently) someone that 𝑺 … contains a 1 in position 5? starts with 0111? contains more 1’s than 0’s ? …

Predicate: P(𝑋, 𝑥) = 𝑇𝑟𝑢𝑒 𝑥 𝜖 𝑋

𝑋 = * 𝑥1, 𝑥2, 𝑥3, 𝑥4, 𝑥5+ 𝐻(𝑋)

𝑷𝒓𝒐𝒐𝒇𝑮𝒆𝒏(𝑋, 𝑥) = 𝜋

𝐻(𝑋)

𝑷𝒓𝒐𝒐𝒇𝑪𝒉𝒆𝒄𝒌 𝐻 𝑋 , 𝑥, 𝜋 = 𝑌𝐸𝑆 𝑥 𝜖 X

𝜋

0 1

2

3

Known as Accumulators. A lot of applications: e-cash, zero-knowledge sets, anonymous credentials & ring signatures, database authentication, …

Predicate-Preserving Collision-Resistant

Hashing

Map

Accumulators

Optimal Data Authentication

Transitive Signatures

Short Transitive Signatures For Directed Trees

Fair Exchange of Short Signatures without Trusted Third Party

Optimal Data Authentication From Directed Transitive

Signatures

Strong Accumulators From Collision-Resistant

Hashing

Impossibility of Batch Update For Cryptographic

Accumulators

Pivot

Difficult Problem (Still Open BTW)

1

2

3

4

5

6

7

8 9

ISC 2008

LatinCrypt 2010

eprint 2011

CT-RSA 2012

CT-RSA 2013


Hashing

Map

Accumulators






Signatures


Hashing


Accumulators

Pivot


1

2

3

4

5

6

7

8 9

Outsourcing Securely a Database

How can Alice be sure that the reply she gets corresponds to the real state of the database?

𝐼𝑁𝑆𝐸𝑅𝑇 (𝑥) 𝑆𝑖𝑔𝑛(𝑆𝐾, 𝑥) = 𝜎𝑥

Replay Attack (*)

Does 𝑥 belong to 𝑋?

𝑌𝐸𝑆: 𝜎𝑥

(*) The reason why trivial solutions don’t work.

𝐷𝐸𝐿𝐸𝑇𝐸 (𝑥)

Replay Attack (*)

Does 𝑥 belong to 𝑋?

𝑌𝐸𝑆: 𝜎𝑥

(*) The reason why trivial solutions don’t work.

Manager

Acc1, Acc2 Acc1 Insert(x)

( x , )

Acc1, Acc2, Acc3

Verify( x , , Acc3) = YES

Witness

Delete(x)

Verify( x , , Acc4) = NO

Alice

Manager

Acc1, Acc2, Acc3, Acc4

Manager

Acc1, Acc2 Acc1 Insert(x)

( x , )

Acc1, Acc2, Acc3

Verify( x , , Acc3) = YES

Witness

Cryptographic Accumulator

Manager

Alice 1 Alice 2 Alice 3

x1 w1 x2 w2 x3 w3

Acc1 Acc1, Acc2 Acc1, Acc2, Acc3

Problem: after each update of the

accumulated value it is necesarry

to recompute all the witnesses.

Manager …,Acc99, Acc100, Acc101,…, Acc200,…

(x1,w1,Acc100)

( x2,w2,Acc100)

( x6,w6,Acc100)

(x36,w36,Acc100)

( x87,w87,Acc100)

(x1,w1,Acc100)

( x20,w20,Acc100)

( x69,w68,Acc100) ( x64,w64,Acc100) …

(x1,w1,Acc100)

( x2,w2,Acc100)

( x6,w6,Acc100) ….

Alice 42 Alice 29 Alice 1 Alice 2

Upd100,200

Batch Update [FN02]

Manager …,Acc99, Acc100, Acc101,…, Acc200,…

(x1,w1’,Acc200)

( x2,w2’,Acc200)

( x6,w6’,Acc200)

(x36,w36’,Acc200)

( x87,w87’,Acc200)

(x1,w1’,Acc200)

( x20,w20’,Acc200)

( x69,w68’,Acc200) ( x64,w64’,Acc200) …

(x1,w1’,Acc200)

( x2,w2’,Acc200)

( x6,w6’,Acc200) ….

Alice 42 Alice 29 Alice 1 Alice 2

Batch Update [FN02]

Batch Update [FN02]

Trivial solution: 𝑈𝑝𝑑𝑋𝑖, 𝑋𝑗 = *list of all witnesses for 𝑋𝑗+

What we would like: |𝑈𝑝𝑑𝑋𝑖, 𝑋𝑗| = 𝑂(1)

Attack on [WWP08]

But 𝒙𝟏 does not belong to 𝑿𝟐!

𝑿𝟎 ∶= Ø

Insert 𝒙𝟏

Delete 𝒙𝟏 𝑿 𝟏∶= *𝒙𝟏+

Please send 𝑼𝒑𝒅𝑿𝟏, 𝑿𝟐 𝑿𝟐 = ∅

𝑼𝒑𝒅𝑿𝟏, 𝑿𝟐

With 𝑼𝒑𝒅𝑿𝟏, 𝑿𝟐 I can update my witness 𝒘𝒙𝟏

Manager

Batch Update is Impossible [CH10]

• Theorem: Let 𝑨𝒄𝒄 be a secure accumulator scheme with deterministic 𝑼𝒑𝒅𝑾𝒊𝒕

and 𝑽𝒆𝒓𝒊𝒇𝒚 algorithms.

For an update involving 𝒎 delete operations in a set of 𝑵 elements,

the size of the update information 𝑼𝒑𝒅𝑿, 𝑿′ required by the algorithm

𝑼𝒑𝒅𝑾𝒊𝒕 is (𝒎 log (𝑵/𝒎)).

In particular if 𝒎 = 𝑵/𝟐 we have 𝑼𝒑𝒅𝑿, 𝑿′ = 𝒎 = (𝑵)


Hashing

Map

Accumulators






Signatures


Hashing


Accumulators

Pivot


1

2

3

4

5

6

7

8 9

What happens when the Database Owner is not Trusted?

Insert(x)

Belongs(x)

NO

OK

The adversary is lying! How to prevent such a

behaviour?

Manager

(New) Security Model [CHKO08]

Acc1, Acc2, Acc3

Upd1, Upd2, Upd3

𝑉𝑒𝑟𝑖𝑓𝑦𝑈𝑝𝑑𝐴𝑑𝑑(𝐴𝑐𝑐1, 𝐴𝑐𝑐2, 𝑈𝑝𝑑1)

𝐼𝑛𝑠𝑒𝑟𝑡(𝑥)

𝐼𝑛𝑠𝑒𝑟𝑡(𝑦)

𝐷𝑒𝑙𝑒𝑡𝑒(𝑥)

𝑥 ∈ 𝑋? 𝑌𝑒𝑠/𝑁𝑜 𝜋

𝑉𝑒𝑟𝑖𝑓𝑦 (𝐴𝑐𝑐3, 𝑥, 𝜋)

Main Idea of the Construction [CHKO08]

• Merkle Trees [M87]

Z1=H(Y1||Y2)

Y1=H(x4||x1)

x4 x1 x5 x6 x2 x8 x7 x3

Y2=H(x5||x6) Y3=H(x2||x8) Y4=H(x7||x3)

Z2=H(Y3||Y4)

P=H(Z1||Z2)

Root value:

Represents

the set

*𝑥1, … , 𝑥8+

Predicate-Preserving CRHF

Z1=H(Y1||Y2)

Y1=H(x4||x1)

x4 x1 x5 x6 x2 x8 x7 x3

Y2=H(x5||x6) Y3=H(x2||x8) Y4=H(x7||x3)

Z2=H(Y3||Y4)

P=H(Z1||Z2)

H’

Proof for predicate 𝒙𝟐 ∈ 𝑿

𝑂( log 𝑛)

Technical difficulties

• The tree needs to grow dynamically – Not enough to use leaves for storing values

• How to handle membership and non-membership predicates

– Kocher’s trick [Koch98]

• 𝑿 = *𝒙𝟏, 𝒙𝟐, 𝒙𝟑, … , 𝒙𝒏+

• 𝒙 ∉ 𝑿 ⇔ 𝒙𝟐 < 𝒙 < 𝒙𝟑

• Some security issues arise

– Need to apply padding-techniques (Thanks Gregory!)

Main Theorem [CHKO08]

• Theorem: The accumulator is secure if CRHF exist.

All operations run in logarithmic time w.r.t. to the size of the set.


Hashing

Map

Accumulators






Signatures


Hashing


Accumulators

Pivot 1

2

3

4

5

6

7

8 9


A challenging open problem Optimal Data Authentication (ODA)

Time to compute the proofs: 𝑂(log 𝑛) Time to verify the proof : 𝑂(1)

Using (known) accumulators we only get…

𝑛 = 9, 𝜖 = 1 𝑶( 𝒏) v/s 𝑶(𝟏)

𝑛 = 9, 𝜖 = 2 𝑶( 𝒏) v/s 𝑶(𝟏)

Trade off (Time to compute the proof v/s Time to Verify the proofs)

𝑶(𝝐 𝒏𝟏/𝝐 ) v/s 𝑶 𝝐

𝜖 = log𝑛 𝑶(𝐥𝐨𝐠𝒏) v/s 𝑶(𝐥𝐨𝐠 𝒏)

…


Hashing

Map

Accumulators






Signatures


Hashing


Accumulators

Pivot


1

2

3

4

5

6

7

8 9

Intro to Cryptology

0

How do we sign a graph?

a

b

Is there a path from 𝑎 to 𝑏?

𝑮

Trivial Solutions

Let 𝒏 = |𝑮|, security parameter 𝛋 When adding a new node… • Sign each edge

– Time to sign: 𝑶(𝟏) – Size of signature: 𝑶(𝒏𝜿) bits

• Sign each path

– Time to sign (new paths): 𝑶(𝒏) – Size of signature: 𝑶(𝜿) bits

Transitive Signature Schemes [MR02,BN05,SMJ05]

𝜎𝐴𝐵 𝜎𝐵𝐶 𝐴 𝐵 𝐶

← 𝑇𝑉𝑒𝑟𝑖𝑓𝑦(𝐴, 𝐶, 𝜎𝐴𝐶, )

Combiner

𝜎𝐴𝐶 ← 𝐶𝑜𝑚𝑏𝑖𝑛𝑒(𝜎𝐴𝐵,𝜎𝐵𝐶, ) 𝜎𝑋𝑌 ← 𝑇𝑆𝑖𝑔𝑛(𝑋, 𝑌, 𝜎𝑋𝑌, )

𝜎𝐴𝐶

𝐷𝑇𝑆 ⇒ 𝑂𝐷𝐴 [C11]

𝑥1 𝑥2 𝑥3 … … … 𝑥25 𝑥26 𝑥27

𝑡1

𝑥15 𝑦15

𝑡2 𝑡3

𝑥19 𝑦19

𝑶(log 𝒏)

Sounds good, but…

• [MR02,BN05,SMJ05] for UNDIRECTED graphs

• Transitive Signatures for Directed Graphs (DTS) still OPEN

• [Hoh03] DTS ⇒ Trapdoor Groups with Infeasible Inversion


Hashing

Map

Accumulators






Signatures


Hashing


Accumulators

Pivot


1

2

3

4

5

6

7

8 9

Intro to Cryptology

0

Transitive Signatures for Directed Trees

Previous Work

• [Yi07]

• Signature size: 𝒏 log (𝒏 log 𝒏) bits • Better than 𝑶(𝒏𝜿) bits for the trivial solution

• RSA related assumption

• [Neven08]

• Signature size: 𝒏 log 𝒏 bits

• Standard Digital Signatures

𝑶(𝒏 log 𝒏) bits still impractical

Our Results

Examples 𝝐 = 𝟏 𝝐 = 𝟐 𝝐 = log (𝒏)

Time to sign edge / verify path signature

𝑶(𝟏) 𝑶(𝟏) 𝑶(log 𝒏)

Time to compute a path signature

𝑶(𝒏/𝜿) 𝑶( 𝒏/𝜿) 𝑶(log 𝒏)

Size of path signature 𝑶(𝜿) 𝑶(𝜿) 𝑶(𝜿 log 𝒏)

• For 𝝐 ≥ 𝟏 • Time to sign edge / verify path signature: 𝑶(𝝐) • Time to compute a path signature: 𝑶(𝝐(𝒏 𝜿 )1/𝝐) • Size of path signature: 𝑶(𝝐𝜿) bits

Pre/Post Order Tree Traversal

a

h b

c

d

i j k

e f g

Pre order: a b c d e f g h i j k Post order: c e f g d b i j k h a

Property of Pre/Post order Traversal

• Proposition [Dietz82]

a

h b

c

d

i j k

e f g

Pre order: a b c d e f g h i j k Post order: c e f g d b i j k h a

𝒑𝒐𝒔 𝒙 < 𝒑𝒐𝒔 𝒚 in 𝑷𝒓𝒆 𝒑𝒐𝒔 𝒚 < 𝒑𝒐𝒔(𝒙) in 𝑷𝒐𝒔𝒕

There is a path from 𝒙 to 𝒚 ⇔

Idea

a

h b

c i j k

e f

d

Signature of path (𝒂, 𝒆): • Signature of 𝒂||𝟏||𝟏𝟎 • Signature of 𝒆||𝟓||𝟐

• Check signatures • Check

𝟏 < 𝟓 𝟏𝟎 > 𝟐

• Compute 𝒑𝒐𝒔(𝒙) in 𝑷𝒓𝒆 and 𝑷𝒐𝒔𝒕

• E.g.: Sign 𝒂||𝟏||𝟏𝟎

Position 1 2 3 4 5 6 7 8 9 10

Pre a b c d e f h i j k

Post c e f d b i j k h a

Is there a path from 𝑎 to 𝑒?

𝑮

Challenge: handle changes

Intuition: tricks to assign labels to the vertices so that these labels do not change. We use Order DS.

Remaining task: to compare large labels efficiently

Predicate: P(𝑆, 𝑃) = 𝑇𝑟𝑢𝑒 𝑃 and S share a common prefix

𝑆 = 1000111 𝑃 = 10000

𝐻(𝑆), 𝐻(𝑃)

𝑷𝒓𝒐𝒐𝒇𝑮𝒆𝒏(𝑆, 𝑃) = 𝜋

In the litterature: Accumulators A lot of applications: e-cash, zero-knowledge sets, anonymous credentials & ring signatures, database authentication, …

𝐻 𝑆 ,𝐻(𝑃)

𝑷𝒓𝒐𝒐𝒇𝑪𝒉𝒆𝒄𝒌 𝐻 𝑆 ,𝐻(𝑃), 𝜋 = 𝑌𝐸𝑆 𝑃 and 𝑆 share a common

prefix until position 4

𝜋

0 1

2

3

Very easy to derive a bigger family of predicates: • Suffix • Substring • Compare through lexicographical order • …

Security

𝑯𝑮𝒆𝒏(𝟏𝜿, 𝒏) → 𝑷𝑲 (𝑨, 𝑩, 𝝅, 𝒊)

𝑨𝒅𝒗 𝑨 = 𝐏𝐫 𝑷𝒓𝒐𝒐𝒇𝑪𝒉𝒆𝒄𝒌 𝑯 𝑨 ,𝑯 𝑩 , 𝒊, 𝝅, 𝑷𝑲 = 𝑻𝒓𝒖𝒆

∧𝑨 𝟏. . 𝒊 ≠ 𝑩 𝟏. . 𝒊

Bilinear maps (pairings)

• 𝑝, 𝑒, 𝐺, 𝐺𝑇 , 𝑔 ← 𝐵𝑀𝐺𝑒𝑛 1𝑘

• 𝐺 = 𝐺𝑇 = 𝑝

• 𝑒: 𝐺 × 𝐺 → 𝐺𝑇

• 𝑒 𝑔𝑎, 𝑔𝑏 = 𝑒 𝑔, 𝑔 𝑎𝑏

• 𝑒 𝑔, 𝑔 generates 𝐺𝑇

AMAZING TOOL: • Started in 2001 • Thousands of

publications • Dedicated

Conference (Pairings)

n-BDHI assumption [BB04]

𝒆: 𝑮 × 𝑮 → 𝑮𝑻 𝒔 ← 𝒁𝒑

𝒈 generator of 𝑮 (𝒈𝒔, 𝒈𝒔

𝟐

, … , 𝒈𝒔𝒏

)

𝒆(𝒈, 𝒈)𝟏 𝒔

The Hash Function

• 𝑯𝑮𝒆𝒏(𝟏𝜿, 𝒏)

𝒑, 𝑮, 𝑮𝑻, 𝒆, 𝒈 ← 𝐵𝑀𝐺𝑒𝑛 1𝜅

𝒔 ← 𝒁𝒑 𝑻:= (𝒈𝒔, 𝒈𝒔

𝟐

, … , 𝒈𝒔𝒏

) return 𝑷𝑲:= (𝒑, 𝑮, 𝑮𝑻, 𝒆, 𝒈, 𝑻)

• 𝑯𝑬𝒗𝒂𝒍(𝑴,𝑷𝑲)

𝑯(𝑴) ∶= 𝒈𝑴 𝒊 𝒔𝒊

𝒏

𝒊=𝟏

Toy example: 𝑴 = 𝟏𝟎𝟎𝟏 ⇒ 𝑯 𝑴 = 𝒈𝒔 . 𝒈𝒔

𝟒

Generating & Verifying Proofs

• 𝑨 = 𝑨 𝟏. . 𝒏 = 𝟏𝟎𝟎𝟎𝟏𝟏𝟏𝟎𝟎𝟏

• 𝑩 = 𝑩,𝟏. . 𝒏- = 𝟏𝟎𝟎𝟎𝟏𝟎𝟏𝟏𝟎𝟎

• 𝜟 ∶=𝑯 𝑨

𝑯 𝑩=𝒈𝒔𝒈𝒔

𝟓𝒈𝒔𝟔𝒈𝒔𝟕𝒈𝒔𝟏𝟎

𝒈𝒔𝒈𝒔𝟓𝒈𝒔𝟕𝒈𝒔𝟖

= 𝒈𝒔

𝟔

𝒈−𝒔𝟖 𝒈𝒔𝟏𝟎

• 𝜟 = 𝒈𝑪 𝒋 𝒔𝒋𝒏

𝒋=𝟏 with 𝑪 = ,𝟎, 𝟎, 𝟎, 𝟎, 𝟎, 𝟏, 𝟎, −𝟏, 𝟎, 𝟏-

Generating & Verifying Proofs

• 𝜟 = 𝒈𝑪 𝒋 𝒔𝒋𝒏

𝒋=𝟏 with 𝑪 = ,𝟎, 𝟎, 𝟎, 𝟎, 𝟎, 𝟏, 𝟎, −𝟏, 𝟎, 𝟏-

• “Remove” factor 𝐬𝐢+1 in the exponent without knowing 𝐬

𝝅 ≔ 𝜟𝟏

𝒔𝒊+𝟏 = 𝒈𝑪 𝒋 𝒔

𝒋−𝒊−𝟏

𝒏

𝒋=𝒊+𝟏

= 𝒈 𝒈−𝒔𝟐𝒈𝒔𝟒

• Check the proof : 𝒆(𝝅,𝒈𝒔𝒊+1) = 𝒆(𝜟, 𝒈)

Security [CH12]

• Proposition: If the n-BDHI assumption holds, then the previous construction is a CRHF that preserves the common-prefix predicate.

• Proof (idea)

𝐇 𝐀 = 𝐠𝐬 𝐠𝐬𝟓

𝐇 𝐁 = 𝐠𝐬 𝐠𝐬

𝟑

𝐠𝐬𝟔

𝚫 =𝐇 𝐀

𝐇 𝐁= 𝐠−𝒔

𝟑 𝐠𝐬𝟓

𝒈−𝒔𝟔

𝛑 = 𝚫𝟏

𝒔𝟒 = 𝐠−𝟏 𝒔 𝐠𝐬 𝐠−𝐬𝟐

𝐀 = 𝟏𝟎𝟎𝟎𝟏𝟎 𝐁 = 𝟏𝟎𝟏𝟎𝟎𝟏 𝐢 = 𝟑

Tradeoff 𝒏 = 𝟓𝟒, 𝜿 = 𝟐, 𝚺 = 𝒂, 𝒃, 𝒄, 𝒅 𝒏 𝜿 = 𝟓𝟒 𝟐 = 𝟐𝟕 𝝀 = 𝟑 ⇒ (𝒏 𝜿 )𝟏 𝝀 = 𝟑


Hashing

Map

Accumulators






Signatures


Hashing


Accumulators

Pivot


1

2

3

4

5

6

7

8 9

Modeling Transactions with Digital Signatures

Buyer Seller

Digital Check

Software License

The problem: Who starts first? Impossibility Result [Cleve86]

Gradual Release of a Secret

1001 0111

Bob’s signature Alice’s signature

1

0

0

1

0

1

1

1

Allows to circumvent Cleve’s impossibility result (relaxed security definition).

How do I know that the bit I received is not garbage?

Contributions

• Formal definition of Partial Fairness

• Efficiency

• First protocol for Boneh-Boyen signatures

𝜿: Security Parameter 𝜿 = 𝟏𝟔𝟎

# Rounds 𝜅 + 5 165

Communication 16𝜅2 + 12𝜅 bits ≈ 52 kB

# Crypto operations per participant

≈ 30𝜅 ≈ 4800

Commitments

secret

Commitment

secret = +

I will try to open the box with

another value.

I will attempt to find out what is

in the box before I get the key.

1

2

3

secret

The secret is revealed.

Zero-Knowledge Proofs of Knowledge

0 𝜋 ,

I want to fool Alice: Make her believe that the value in the box is binary while it is not (e.g: 15).

I want to know exactly what is in the box (not only that the secret is a bit).

= Yes / No + 0 𝜋

1

2

Prove you know the content of the box and something about this content without opening the box.

Intuition of the Construction [C13]

Signature

1 0 1 1 0 0

35 = 100011 2 Encrypted Signature = + 1

2

3 𝜋1 Each small box contains a bit.

𝜋2 The sequence of small boxes is the binary decomposition of the secret inside the big box.

4 1 0 1 1 0 0 0 0 0 1 1 1

Conclusion

• We introduced the concept of Predicate-Preserving Collision-Resistant Hashing

• Many open questions

– Optimal Data Authentication

– Relationship between predicate complexity and size for proofs

– Apply these techniques to authenticated pattern matching

– Find new applications…

Bibliography

• [BB04] Dan Boneh and Xavier Boyen. Short Signatures Without Random Oracles. In Christian Cachin and Jan Camenisch, editors, EUROCRYPT 2004.

• [ BN05] Mihir Bellare and Gregory Neven. Transitive Signatures: New Schemes and Proofs. IEEE Transactions on Information Theory, 51(6):2133–2151, 2005.

• [ Cleve86] Richard Cleve. Limits on the security of coin flips when half the processors are faulty. In STOC, 1986.

• [ Dietz82 ] Paul F. Dietz. Maintaining Order in a Linked List. In STOC, pages 122–127. ACM Press, May 1982.

• [ FN02] Nelly Fazio and Antonio Nicolisi. Cryptographic Accumulators: Definitions, Constructions and Applications. Technical report, 2002.

• [GM84] Goldwasser, Shafi, and Silvio Micali. "Probabilistic encryption." Journal of computer and system sciences , 1984

• [GMR88] Shafi Goldwasser, Silvio Micali, and Ronald L. Rivest. A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks. SIAM, 1988.

• [ Hoh03] Susan Rae Hohenberger. The Cryptographic Impact of Groups with Infeasible Inversion. Master’s thesis, Massachusetts Institute of Technology, 2003.

Bibliography

• [MR02] Silvio Micali and Ronald Rivest. Transitive Signature Schemes. In Bart Preneel, editor, CT-RSA, 2002.

• [SMJ05] Siamak Fayyaz Shahandashti, Mahmoud Salmasizadeh, and Javad Mohajeri. A Provably Secure Short Transitive Signature Scheme from Bilinear Group Pairs. In Carlo Blundo and Stelvio Cimato, editors, Security in Communication Networks, 2005.

• [WWP08] Peishun Wang, Huaxiong Wang, and Josef Pieprzyk. Improvement of a Dynamic Accumulator at ICICS 07 and Its Application in Multi-user Keyword-Based Retrieval on Encrypted Data. In Asia-Pacific Conference on Services Computing, 2008.

Strong Accumulators from CRHF

Hashing: padding-techniques

The trees are different yet

yield the same hash value.

We need to hash the final value (root) and concatenated with some data on the “shape” of the tree:

𝑯(𝑯’(𝒂||𝒃)||𝟏||𝟏)

Batch Update

Batch Update is Impossible [CH10]

• Theorem: Let 𝑨𝒄𝒄 be a secure accumulator scheme with deterministic 𝑼𝒑𝒅𝑾𝒊𝒕

and 𝑽𝒆𝒓𝒊𝒇𝒚 algorithms.

For an update involving 𝒎 delete operations in a set of 𝑵 elements,

the size of the update information 𝑼𝒑𝒅𝑿, 𝑿′ required by the algorithm

𝑼𝒑𝒅𝑾𝒊𝒕 is (𝒎 log (𝑵/𝒎)).

In particular if 𝒎 = 𝑵/𝟐 we have |𝑼𝒑𝒅𝑿, 𝑿′| = (𝒎) = (𝑵)

X={x1,x2,…,xN}

X={x1,x2,…,xN}

AccX , {w1,w2,…,wN}

Compute AccX, {w1,w2,…,wN}

Delete Xd:={xi1

,xi2,…,xim

} X’ := X\Xd

AccX’ , UpdX,X’

Compute AccX’,UpdX,X’

Proof 1/3

User Manager

Proof 2/3

User

X={x1,x2,…,xN} {w1,…,wN} AccX, AccX’, UpdX,X’

For each element xєX

w’ := UpdWit(w,AccX,AccX’,UpdX,X’) x w’ valid?

YES

NO

CASE 1

User can reconstruct the set Xd

CASE 1

If x is not in X’ => Scheme insecure x still in X’

CASE 2

CASE 2

If x is in X’ => Scheme incorrect x not in X’ anymore

Proof 3/3

• There are subsets of m elements in a set of N elements

• We need log ≥ m log(N/m) bits to encode Xd

( ) N m

( ) N m

Digital Signatures

𝜎 = 𝑆𝑖𝑔𝑛(𝑆𝐾,𝑚)

SK PK

PK

𝑌𝐸𝑆/𝑁𝑂 = 𝑉𝑒𝑟𝑖𝑓𝑦(𝑃𝐾, 𝜎,𝑚)

If the 𝑉𝑒𝑟𝑖𝑓𝑦 algorithm returns 𝑌𝐸𝑆, I am sure Alice is the

author of message 𝑚.

Security for Digital Signatures [GMR88]

(Adversary) (Oracle)

Signature request for message 𝑚1

𝜎1

𝑃𝐾

…

(𝜎,𝑚) such that 𝑉𝑒𝑟𝑖𝑓𝑦(𝑃𝐾, 𝜎,𝑚) returns 𝑌𝐸𝑆 but 𝑚 has not been requested before

This should not happen!

Signature request for message 𝑚2

𝜎2

Signature request for message 𝑚𝑖

𝜎𝑖

Security of transitive signatures [MR02]

(𝐴, 𝐵)

𝜎𝐴𝐵

(𝐵, 𝐶)

σBC

(𝐵, 𝐷)

𝜎𝐵𝐷

(𝐴, 𝐸)

𝜎𝐴𝐸

𝐴

𝐵

𝐶 𝐷

E 𝜎∗, 𝐵, 𝐸 : ← 𝑇𝑉𝑒𝑟𝑖𝑓𝑦(𝐵, 𝐸, 𝜎∗, ) and

There is no path from 𝑩 to 𝑬

ODA is still open

• [PTT10] Papamanthou, Charalampos, Roberto Tamassia, and Nikos Triandopoulos. "Optimal authenticated data structures with multilinear forms." Pairing-Based Cryptography-Pairing 2010. Springer Berlin Heidelberg, 2010. 246-264.

• [CLT13] Coron, Jean-Sébastien, Tancrede Lepoint, and Mehdi Tibouchi. "Practical Multilinear Maps over the Integers." IACR Cryptology ePrint Archive 2013 (2013): 183.

[PTT10] Only works for the two-party model.

Size of proof are 𝑶(𝟏) but time to verify is 𝑶 log 𝒏 .

[CLT13] We know how to build multilinear maps!

Fair Exchange

Partial Fairness

𝑚𝐴, 𝑚𝐵 , 𝑝𝑘𝐴 (𝑠𝑘𝐵, 𝑝𝑘𝐵)

(𝑠𝑘𝐴, 𝑝𝑘𝐴) 𝑚𝐴, 𝑚𝐵

𝑂𝑆𝑖𝑔𝑛 𝑠𝑘𝐵,⋅

𝜎𝐵 on 𝑚𝐴

Bet according to partially released secret

σ𝐴 on 𝑚𝐵 σ∗ on 𝑚∗

Not queried to signing oracle 𝑂𝑆𝑖𝑔𝑛

Simultaneous Hardness of Bits for Discrete Logarithm

𝑙 = 𝜔( log 𝜅)

An adversary cannot distinguish between a random sequence of 𝜿 − 𝒍 bits and the first 𝜿 − 𝒍 bits of 𝜽 given 𝒈𝜽 .

Holds in the generic group model [Schnorr98]

Provable Security

Provable Security

1. Define “Secure” (formally)

2. Design your solution

3. Prove it is secure with respect to definition proposed in step 1

4. Don’t forget to mention your assumptions (mathematical conjectures)

It’s not that easy. E.g. [GM84]

E.g. : Factoring is hard.

We want: If conjecture is true then NO adversary can break the security.

We prove: If adversary can break the security then the conjecture is false.

Provable Security 1. Given a random hash function 𝑯 it should be hard for any adversary to find to messages 𝒎,𝒎’ such that 𝑯(𝒎) = 𝑯(𝒎’) and 𝒎 ≠ 𝒎’

2. 𝑮 a cyclic group , 𝒈 a generator, 𝜶 a random value set 𝒉:= 𝒈𝜶 and define for 𝒎 = 𝒎𝟏||𝒎𝟐:

𝑯(𝒎𝟏| 𝒎𝟐 ∶= 𝒈𝒎𝟏𝒉𝒎𝟐

3. If adversary finds different 𝒎,𝒎’ such that 𝑯(𝒎) = 𝑯(𝒎’) then we can deduce 𝜶 .

4. Discrete logarithm is hard: given 𝒈, 𝒉 it’s difficult (takes a lot of time) to compute 𝜶 such that 𝒉 = 𝒈𝜶