SlideShare a Scribd company logo

Improved Security Proof for the Camenisch- Lysyanskaya Signature-Based Synchronized Aggregate Signature Scheme

M
MASAYUKITEZUKA1

1. The document presents an improved security proof for the Camenisch-Lysyanskaya signature-based synchronized aggregate signature scheme. 2. It describes the modified Camenisch-Lysyanskaya signature used in the security proof for the Lee-Lee-Yung synchronized aggregate signature scheme. The modified signature replaces the original interactive assumption with the non-interactive 1-MSDH assumption. 3. The authors provide an overview of their security proof, which uses a simulator to convert a signature adversary against the synchronized aggregate signature into a forger against the underlying modified Camenisch-Lysyanskaya signature. This establishes the security of the synchronized aggregate signature under the 1-

Science
1 of 37
Download to read offline
1 Improved Security Proof for the Camenisch- Lysyanskaya Signature-Based Synchronized Aggregate Signature Scheme Masayuki Tezuka Keisuke Tanaka Tokyo Institute of Technology ACISP 2020 Full presentation slide Version: 2020/12/23
Digital Signature 2 Signer Verifier (", $) (&', (') &' Verify
Aggregate Signature 3 ("#, %#) Signer 1 ('(), *()) Signer 2 ('(#, *(#) Signer + ('(,, *(,) ⋮ ("), %)) (",, %,) ("), %)) ("#, %#) ⋮ (",, %,)
Aggregate Signature 4 ("#, %#) Signer 1 ('(), *()) Signer 2 ('(#, *(#) Signer + ('(,, *(,) ⋮ ("), %)) (",, %,) "), ⋯ , ", , Σ Aggregate Signature
Aggregate Signature 5 ("#, %#) Signer 1 ('(), *()) Signer 2 ('(#, *(#) Signer + ('(,, *(,) ⋮ ("), %)) (",, %,) "), ⋯ , ", , Σ Aggregate Signature ('(), '(#, ⋯ , '(, ) Verify
Types of Aggregate Signature 6 • Full aggregate signature [BGLS03] • Sequential aggregate signature (SeqAS) [LMRS04] • Synchronized aggregate signature (SyncAS) [GR06,AGH10] etc…
Full Aggregate Signature [BGLS03] 7 Signer 1 Signer 2 Signer ! ⋯ #$ #% #& ⋯ Σ
Sequential Aggregate Signature (SeqAS) [LMRS04] 8 Signer 1 Signer 2 Signer ! Σ# Σ$ Σ% Sign Sign Sign ⋯ ⋯
Synchronized Aggregate Signature (SyncAS) [GR06,AGH10] 9 Signer 1 Signer 2 Signer ! ⋯ Time #$ #% &$ &% &' &′$ &′% &′' ⋯ Σ Σ′ ⋯
Synchronized Aggregate Signature (SyncAS) [GR06,AGH10] 10 Signer 1 Signer 2 Signer ! ⋯ Time #$ #% &$ &% &' &′$ &′% &′' ⋯ Σ Σ′ ⋯ Application ・ Log data ・ Sensor data ・ Blockchain protocol
Syntax of SyncAS [AGH 10] 11 Signer 1 Signer ! ⋯ )me #$ #% &$ &' &′$ &′' ⋯ ⋯ Σ′ *+$ ,+$ *+' ,+' Setup(1/ , 11 ) → ** KeyGen(**) → (*+, ,+) Verify(*+, 4, &) → 0 or 1 AggVerify *+8, 48 89$ ' , Σ → 0 or 1 Aggregate *+8, 48, &8 89$ ' → Σ Sign(,+, #, 4) → &
EUF-CMA Security for SyncAS in the Certified-Key Model [AGH 10] 12 Challenger Adversary
EUF-CMA Security for SyncAS in the Certified-Key Model [AGH 10] 13 ("", "$∗ ) "" ← Setup(1) , 1* ) "$∗ , +$∗ ← KeyGen("") Challenger Adversary ,-./ ← 1
EUF-CMA Security for SyncAS in the Certified-Key Model [AGH 10] 14 ("", "$∗ ) ("$, '$) accept or reject "" ← Setup(1* , 1+ ) "$∗ , '$∗ ← KeyGen("") , ← , ∪ {"$} Challenger Adversary 0123 ← 1 Cert query
EUF-CMA Security for SyncAS in the Certified-Key Model [AGH 10] 15 ("", "$∗ ) ("$, '$) accept or reject ( or skip ) σ ← Sign('$∗ , ,-./, () ,-./ ← ,-./ + 1 "" ← Setup(12 , 13 ) "$∗ , '$∗ ← KeyGen("") 4 ← 4 ∪ {"$} Challenger Adversary ,-./ ← 1 Cert query Signing query
EUF-CMA Security for SyncAS in the Certified-Key Model [AGH 10] 16 ("", "$∗ ) ("$, '$) accept or reject ( or skip ) σ ← Sign('$∗ , ,-./, () ,-./ ← ,-./ + 1 "" ← Setup(12 , 13 ) "$∗ , '$∗ ← KeyGen("") 4 ← 4 ∪ {"$} "$8, ⋯ , "$: = "$∗ , ⋯ , "$< , (8, ⋯ , (:, ⋯ , (< , Σ) Challenger Adversary ,-./ ← 1 Cert query Signing query
EUF-CMA Security for SyncAS in the Certified-Key Model [AGH 10] 17 !"#, ⋯ , !"& = !"∗ , ⋯ , !") , *#, ⋯ , *&, ⋯ , *) , Σ) The adversary wins if: 1. is valid. 2. Never queried *& for the signing oracle. 3. All keys !"#, ⋯ , !") are registered.
SyncAS Based on Bilinear Group 18 Scheme Assumption pk size Agg sig size Agg Ver (in parinig) GR06 CDH + ROM ID 3 3 AGH10 CDH 1 3 ! + 3 AGH10 CDH + ROM 1 2 4 LLY13 OT-LRSW + ROM 1 2 3 Most efficient scheme
SyncAS Based on Bilinear Group 19 Scheme Assumption pk size Agg sig size Agg Ver (in parinig) GR06 CDH + ROM ID 3 3 AGH10 CDH 1 3 ! + 3 AGH10 CDH + ROM 1 2 4 LLY13 OT-LRSW + ROM 1 2 3 Most efficient scheme ☹ Interactive assumption !
Non-Interactive Assumption 20 Adversary Instance Solution Example DDH, CDH, DL, SXDH, qSDH etc…
Interactive Assumption 21 Adversary Instance Solution Oracle !" O(#) $" Example LRSW [LRSW99], PS [PS16] etc…
(OT-)LRSW Assumption [LRSW99] 22 Adversary Instance Solution Oracle !" O$,& (') (), *, *+, ,, -, . = -$ , 0 = -& ) (!, 2, 3, 4) ! ∉ !" , ! ∈ 78 ∗ , 2 ∈ *, 3 = 2& , 4 = 2$:;$& (2", 2" & , 2" $:;<$& ) 2" ← *
Our Contribution 23 Scheme Assumption pk size Agg sig size Agg Ver (parinig) GR06 CDH + ROM ID 3 3 AGH10 CDH 1 3 ! + 3 AGH10 CDH + ROM 1 2 4 LLY13 OT-LRSW + ROM 1 2 3 LLY13 (New Proof) 1-MSDH-2 + ROM ☺ Non-interactive and static assumption !
Security proof for LLY SyncAS 24 OT-LRSW assumption [LRSW99] CL Sig [CL04] OT-EUF-CMA LLY AggSig [LLY10] EUF-CMA [CL04] [LLY13] ROM
Security proof for LLY SyncAS 25 OT-LRSW assumption [LRSW99] CL Sig [CL04] OT-EUF-CMA LLY AggSig [LLY10] EUF-CMA 1-MSDH-2 assumption [PS18] Modified CL Sig [PS18] OT-EUF-CMA [CL04] [LLY13] [PS18] Our Contribution ROM ROM
Our Contribution 26 LLY SyncAS [LLY10] EUF-CMA 1-MSDH-2 assumption [PS18] Modified CL Sig [PS18] OT-EUF-CMA [PS18] Our Result ROM ① ② ③ ④
① !-MSDH-2 Assumption [PS18] 27 Adversary Instance ", $, $%, &, ', '() , '*+() ,-. /0. , '1 , '1*( Solution (2, 3, ℎ 5 678, ℎ 9 6 +:(6)) If we fix ! = 1, we can regard 1-MSDH-2 as a staAc assumpAon. 2 ≠ 0, deg P ≤ !, F + 2 and 3(F) are relative prime.
Sign(&', ) ∈ +,) ). ← +,, 0 ← 1∗ , 3 ← 04 5 ← 06 , 7 ← 54 , 8 ← 09 3:9 7:;9 < ← (). , 0, 3, 5, 7, 8) KeyGen(==) &' = (?, @, A) ← +, B C ← 1∗ , D ← C9 , E ← C4 , + ← C6 =' = (C, D, E, +) ② Modified CL Signature (MCL Sig) [PS18] 28 == = (=, 1, 1F, G) Verify =', ), < G 0, E = G(3, C) ? G 0, + = G(5, C) ? G 5, E = G(7, C) ? G 03: 7:. , D = G(8, C) ?
② Modified CL Signature (MCL Sig) [PS18] 29 If the !-MSDH-2 assumption holds, the modified CL signature is EUF-CMA secure. (! is a bound on the number of signing queries. ) If the 1-MSDH-2 assumption holds, the modified CL signature is OT-EUF-CMA secure. Theorem [PS18] We only use
③ LLY SyncAS [LLY13] 30 !! = (!, %, %&, ', (, )*, )+, ),) Public key and Secret key . ← ∏12* 3 .1 = ∏12* 3 )* 4 56 7 )+(4)89 :,;6 56 Σ ← (., 4) Signature on a message = ∈ ?@ in time period 4 Aggregate signature .1 ← )* 4 56 7 )+(4)89 :,;6 56, A ← (.1, 4) BC1 = D1 ← ?@, !C1 = E1 ← (56
④ Overview of Our Security Proof 31 Simulator Adversary (SyncAS) Challenger (MCL)
④ Overview of Our Security Proof 32 Simulator Adversary (SyncAS) ! ← #$ Challenger (MCL) %& ! (!(, *, +, ,, -, .)
④ Overview of Our Security Proof 33 ("", "$∗) Cert query Program hash '()* ← ,- (.′) 0 ← ,1 .′ , 2′ ← ,3 .′, 24 Σ∗ Simulator Adversary (SyncAS) Hash query Signing query 2 ← 67 Challenger (MCL) "$ 2 (28, ', 0, 9, (, :) ;∗ .8 ← [=],
④ Conversion from MCL Sig to LLY SyncAS 34 !" ← (%" & , (", )" ← (" *+, ," ← (" *+, -" ← ," *+, ." ← (" /+-" 0+ 1/+)" 0+/+) MCL signature Σ ← %& , (, ), ,, -, . = 5 "67 8 ." = 5 "67 8 (-01 /+ )0+/+ , 9 Σ ← . = 5 "67 8 ." = 5 "67 8 :7 9 /+:; 9 <= >,0+ /+ , 9 II. Change (-01 to :7 9 , ) to :; 9 , %" to :? 9, %" . I. Force signers to use same %" & , (", )", ,", -".
References 1/2 35 [AGH10] Ahn, Green, and Hohenberger. Synchronized aggregate signatures: new definiAons, construcAons and applicaAons. (ACM CCS 2010) [BGLS03] Boneh, Gentry, Lynn,and Shacham. Aggregate and verifiably encrypted signatures from bilinear maps. (EUROCRYPT 2003) [CL04] Camenisch and Lysyanskaya. Signature schemes and anonymous credenAals from bilinear maps. (CRYPTO 2004) [GR06] Gentry and Ramzan. IdenAty-based aggregate signatures. (PKC 2006)
References 2/2 36 [LMRS04] Lysyanskaya, Micali, Reyzin, and Shacham. Sequential aggregate signatures from trapdoor permutations. (EUROCRYPT 2004) [LLY 13] Lee, Lee, and Yung. Aggregating CL-signatures revisited: Extended functionality and better efficiency. (FC 2013) [LRSW99] Lysyanskaya, Rivest, Sahai, and Wolf. Pseudonym systems. (SAC1999) [PS16] Pointcheval and Sanders. Short Randomizable Signatures. (CT-RSA 2016) [PS18] Pointcheval and Sanders. Reassessing security of randomizable signatures. (CT-RSA 2018)
Appendix: Modified CL Signature 37 !! = (!, %, %&, ') KeyGen(!!) )* = (+, ,, - ) ← /0 1 ← %∗ , 3 ← 14 , 5 ← 16 , / ← 14 !* = (1, 3, 5, / ) Sign()*, ;) ;< ← /0, = ← %∗ , > ← =6 ? ← =@ , A ← ?6 , B ← =4 >C4 ACD4 E ← (;< , =, >, ?, A, B) Verify !*, ;, E ' =, 5 = '(>, 1) ? ' =, / = '(?, 1) ? ' ?, 5 = '(A, 1) ? ' =>C AC< , 3 = '(B, 1) ?

Recommended

最近のRのランダムフォレストパッケージ -ranger/Rborist-
最近のRのランダムフォレストパッケージ -ranger/Rborist-最近のRのランダムフォレストパッケージ -ranger/Rborist-
最近のRのランダムフォレストパッケージ -ranger/Rborist-
Shintaro Fukushima
 
基礎からのベイズ統計学 輪読会資料 第8章 「比率・相関・信頼性」
基礎からのベイズ統計学 輪読会資料 第8章 「比率・相関・信頼性」基礎からのベイズ統計学 輪読会資料 第8章 「比率・相関・信頼性」
基礎からのベイズ統計学 輪読会資料 第8章 「比率・相関・信頼性」
Ken'ichi Matsui
 
組合せ最適化問題と解法アルゴリズム
組合せ最適化問題と解法アルゴリズム組合せ最適化問題と解法アルゴリズム
組合せ最適化問題と解法アルゴリズム
sady_nitro
 
k-匿名化が誘発する濡れ衣:解決編
k-匿名化が誘発する濡れ衣:解決編k-匿名化が誘発する濡れ衣:解決編
k-匿名化が誘発する濡れ衣:解決編
Hiroshi Nakagawa
 
大学でC言語をはじめて触る人へ
大学でC言語をはじめて触る人へ大学でC言語をはじめて触る人へ
大学でC言語をはじめて触る人へ
ssuser3c1023
 
クラシックな機械学習の入門  8. クラスタリング
クラシックな機械学習の入門  8. クラスタリングクラシックな機械学習の入門  8. クラスタリング
クラシックな機械学習の入門  8. クラスタリング
Hiroshi Nakagawa
 
MediaPipeの紹介
MediaPipeの紹介MediaPipeの紹介
MediaPipeの紹介
emakryo
 
オイラー先生のおしゃれな素数判定 - 第14回 #日曜数学会
オイラー先生のおしゃれな素数判定 - 第14回 #日曜数学会オイラー先生のおしゃれな素数判定 - 第14回 #日曜数学会
オイラー先生のおしゃれな素数判定 - 第14回 #日曜数学会
Junpei Tsuji
 

Recommended

最近のRのランダムフォレストパッケージ -ranger/Rborist-
最近のRのランダムフォレストパッケージ -ranger/Rborist-最近のRのランダムフォレストパッケージ -ranger/Rborist-
最近のRのランダムフォレストパッケージ -ranger/Rborist-
Shintaro Fukushima
 
基礎からのベイズ統計学 輪読会資料 第8章 「比率・相関・信頼性」
基礎からのベイズ統計学 輪読会資料 第8章 「比率・相関・信頼性」基礎からのベイズ統計学 輪読会資料 第8章 「比率・相関・信頼性」
基礎からのベイズ統計学 輪読会資料 第8章 「比率・相関・信頼性」
Ken'ichi Matsui
 
組合せ最適化問題と解法アルゴリズム
組合せ最適化問題と解法アルゴリズム組合せ最適化問題と解法アルゴリズム
組合せ最適化問題と解法アルゴリズム
sady_nitro
 
k-匿名化が誘発する濡れ衣:解決編
k-匿名化が誘発する濡れ衣:解決編k-匿名化が誘発する濡れ衣:解決編
k-匿名化が誘発する濡れ衣:解決編
Hiroshi Nakagawa
 
大学でC言語をはじめて触る人へ
大学でC言語をはじめて触る人へ大学でC言語をはじめて触る人へ
大学でC言語をはじめて触る人へ
ssuser3c1023
 
クラシックな機械学習の入門  8. クラスタリング
クラシックな機械学習の入門  8. クラスタリングクラシックな機械学習の入門  8. クラスタリング
クラシックな機械学習の入門  8. クラスタリング
Hiroshi Nakagawa
 
MediaPipeの紹介
MediaPipeの紹介MediaPipeの紹介
MediaPipeの紹介
emakryo
 
オイラー先生のおしゃれな素数判定 - 第14回 #日曜数学会
オイラー先生のおしゃれな素数判定 - 第14回 #日曜数学会オイラー先生のおしゃれな素数判定 - 第14回 #日曜数学会
オイラー先生のおしゃれな素数判定 - 第14回 #日曜数学会
Junpei Tsuji
 
Pythonとdeep learningで手書き文字認識
Pythonとdeep learningで手書き文字認識Pythonとdeep learningで手書き文字認識
Pythonとdeep learningで手書き文字認識
Ken Morishita
 
K meansによるクラスタリングの解説と具体的なクラスタリングの活用方法の紹介
K meansによるクラスタリングの解説と具体的なクラスタリングの活用方法の紹介K meansによるクラスタリングの解説と具体的なクラスタリングの活用方法の紹介
K meansによるクラスタリングの解説と具体的なクラスタリングの活用方法の紹介
Takeshi Mikami
 
Prml 最尤推定からベイズ曲線フィッティング
Prml 最尤推定からベイズ曲線フィッティングPrml 最尤推定からベイズ曲線フィッティング
Prml 最尤推定からベイズ曲線フィッティング
takutori
 
RSA暗号運用でやってはいけない n のこと #ssmjp
RSA暗号運用でやってはいけない n のこと #ssmjpRSA暗号運用でやってはいけない n のこと #ssmjp
RSA暗号運用でやってはいけない n のこと #ssmjp
sonickun
 
情報検索の基礎 #9適合フィードバックとクエリ拡張
情報検索の基礎 #9適合フィードバックとクエリ拡張情報検索の基礎 #9適合フィードバックとクエリ拡張
情報検索の基礎 #9適合フィードバックとクエリ拡張
nishioka1
 
PRML4.3.3
PRML4.3.3PRML4.3.3
PRML4.3.3
sleepy_yoshi
 
東大を目指して…その後
東大を目指して…その後東大を目指して…その後
東大を目指して…その後
naoki yamagishi
 
Pydata_リクルートにおけるbanditアルゴリズム_実装前までのプロセス
Pydata_リクルートにおけるbanditアルゴリズム_実装前までのプロセスPydata_リクルートにおけるbanditアルゴリズム_実装前までのプロセス
Pydata_リクルートにおけるbanditアルゴリズム_実装前までのプロセス
Shoichi Taguchi
 
ベイズファクターとモデル選択
ベイズファクターとモデル選択ベイズファクターとモデル選択
ベイズファクターとモデル選択
kazutantan
 
Deep Counterfactual Regret Minimization
Deep Counterfactual Regret MinimizationDeep Counterfactual Regret Minimization
Deep Counterfactual Regret Minimization
Kenshi Abe
 
Rでソーシャルネットワーク分析
Rでソーシャルネットワーク分析Rでソーシャルネットワーク分析
Rでソーシャルネットワーク分析
Hiroko Onari
 
[DL輪読会]Deep Learning 第2章 線形代数
[DL輪読会]Deep Learning 第2章 線形代数[DL輪読会]Deep Learning 第2章 線形代数
[DL輪読会]Deep Learning 第2章 線形代数
Deep Learning JP
 
[DL輪読会]Deep Learning 第3章 確率と情報理論
[DL輪読会]Deep Learning 第3章 確率と情報理論[DL輪読会]Deep Learning 第3章 確率と情報理論
[DL輪読会]Deep Learning 第3章 確率と情報理論
Deep Learning JP
 
機械学習で泣かないためのコード設計 2018
機械学習で泣かないためのコード設計 2018機械学習で泣かないためのコード設計 2018
機械学習で泣かないためのコード設計 2018
Takahiro Kubo
 
音声認識と深層学習
音声認識と深層学習音声認識と深層学習
音声認識と深層学習
Preferred Networks
 
PRML 2.3節
PRML 2.3節PRML 2.3節
PRML 2.3節
Rei Takami
 
局所特徴量と統計学習手法による物体検出
局所特徴量と統計学習手法による物体検出局所特徴量と統計学習手法による物体検出
局所特徴量と統計学習手法による物体検出
MPRG_Chubu_University
 
ウィナーフィルタと適応フィルタ
ウィナーフィルタと適応フィルタウィナーフィルタと適応フィルタ
ウィナーフィルタと適応フィルタ
Toshihisa Tanaka
 
PyMCがあれば,ベイズ推定でもう泣いたりなんかしない
PyMCがあれば,ベイズ推定でもう泣いたりなんかしないPyMCがあれば,ベイズ推定でもう泣いたりなんかしない
PyMCがあれば,ベイズ推定でもう泣いたりなんかしない
Toshihiro Kamishima
 
BRNNとは
BRNNとはBRNNとは
BRNNとは
Shannon Lab
 
A t-out-of-n Redactable Signature Scheme
A t-out-of-n Redactable Signature SchemeA t-out-of-n Redactable Signature Scheme
A t-out-of-n Redactable Signature Scheme
MASAYUKITEZUKA1
 
Digital Signatures: Reassessing security of randomizable signatures
Digital Signatures: Reassessing security of randomizable signaturesDigital Signatures: Reassessing security of randomizable signatures
Digital Signatures: Reassessing security of randomizable signatures
Priyanka Aash
 

More Related Content

What's hot

Rでソーシャルネットワーク分析
Rでソーシャルネットワーク分析Rでソーシャルネットワーク分析
Rでソーシャルネットワーク分析
Hiroko Onari
 
局所特徴量と統計学習手法による物体検出
局所特徴量と統計学習手法による物体検出局所特徴量と統計学習手法による物体検出
局所特徴量と統計学習手法による物体検出
MPRG_Chubu_University
 

What's hot (20)

Pythonとdeep learningで手書き文字認識
Pythonとdeep learningで手書き文字認識Pythonとdeep learningで手書き文字認識
Pythonとdeep learningで手書き文字認識
 
K meansによるクラスタリングの解説と具体的なクラスタリングの活用方法の紹介
K meansによるクラスタリングの解説と具体的なクラスタリングの活用方法の紹介K meansによるクラスタリングの解説と具体的なクラスタリングの活用方法の紹介
K meansによるクラスタリングの解説と具体的なクラスタリングの活用方法の紹介
 
Prml 最尤推定からベイズ曲線フィッティング
Prml 最尤推定からベイズ曲線フィッティングPrml 最尤推定からベイズ曲線フィッティング
Prml 最尤推定からベイズ曲線フィッティング
 
RSA暗号運用でやってはいけない n のこと #ssmjp
RSA暗号運用でやってはいけない n のこと #ssmjpRSA暗号運用でやってはいけない n のこと #ssmjp
RSA暗号運用でやってはいけない n のこと #ssmjp
 
情報検索の基礎 #9適合フィードバックとクエリ拡張
情報検索の基礎 #9適合フィードバックとクエリ拡張情報検索の基礎 #9適合フィードバックとクエリ拡張
情報検索の基礎 #9適合フィードバックとクエリ拡張
 
PRML4.3.3
PRML4.3.3PRML4.3.3
PRML4.3.3
 
東大を目指して…その後
東大を目指して…その後東大を目指して…その後
東大を目指して…その後
 
Pydata_リクルートにおけるbanditアルゴリズム_実装前までのプロセス
Pydata_リクルートにおけるbanditアルゴリズム_実装前までのプロセスPydata_リクルートにおけるbanditアルゴリズム_実装前までのプロセス
Pydata_リクルートにおけるbanditアルゴリズム_実装前までのプロセス
 
ベイズファクターとモデル選択
ベイズファクターとモデル選択ベイズファクターとモデル選択
ベイズファクターとモデル選択
 
Deep Counterfactual Regret Minimization
Deep Counterfactual Regret MinimizationDeep Counterfactual Regret Minimization
Deep Counterfactual Regret Minimization
 
Rでソーシャルネットワーク分析
Rでソーシャルネットワーク分析Rでソーシャルネットワーク分析
Rでソーシャルネットワーク分析
 
[DL輪読会]Deep Learning 第2章 線形代数
[DL輪読会]Deep Learning 第2章 線形代数[DL輪読会]Deep Learning 第2章 線形代数
[DL輪読会]Deep Learning 第2章 線形代数
 
[DL輪読会]Deep Learning 第3章 確率と情報理論
[DL輪読会]Deep Learning 第3章 確率と情報理論[DL輪読会]Deep Learning 第3章 確率と情報理論
[DL輪読会]Deep Learning 第3章 確率と情報理論
 
機械学習で泣かないためのコード設計 2018
機械学習で泣かないためのコード設計 2018機械学習で泣かないためのコード設計 2018
機械学習で泣かないためのコード設計 2018
 
音声認識と深層学習
音声認識と深層学習音声認識と深層学習
音声認識と深層学習
 
PRML 2.3節
PRML 2.3節PRML 2.3節
PRML 2.3節
 
局所特徴量と統計学習手法による物体検出
局所特徴量と統計学習手法による物体検出局所特徴量と統計学習手法による物体検出
局所特徴量と統計学習手法による物体検出
 
ウィナーフィルタと適応フィルタ
ウィナーフィルタと適応フィルタウィナーフィルタと適応フィルタ
ウィナーフィルタと適応フィルタ
 
PyMCがあれば,ベイズ推定でもう泣いたりなんかしない
PyMCがあれば,ベイズ推定でもう泣いたりなんかしないPyMCがあれば,ベイズ推定でもう泣いたりなんかしない
PyMCがあれば,ベイズ推定でもう泣いたりなんかしない
 
BRNNとは
BRNNとはBRNNとは
BRNNとは
 

Similar to Improved Security Proof for the Camenisch- Lysyanskaya Signature-Based Synchronized Aggregate Signature Scheme

MongoDB Analytics
MongoDB AnalyticsMongoDB Analytics
MongoDB Analytics
datablend
 
Identity-based threshold group signature scheme based on multiple hard number...
Identity-based threshold group signature scheme based on multiple hard number...Identity-based threshold group signature scheme based on multiple hard number...
Identity-based threshold group signature scheme based on multiple hard number...
IJECEIAES
 
Georgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityGeorgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software security
DefconRussia
 

Similar to Improved Security Proof for the Camenisch- Lysyanskaya Signature-Based Synchronized Aggregate Signature Scheme (20)

A t-out-of-n Redactable Signature Scheme
A t-out-of-n Redactable Signature SchemeA t-out-of-n Redactable Signature Scheme
A t-out-of-n Redactable Signature Scheme
 
Digital Signatures: Reassessing security of randomizable signatures
Digital Signatures: Reassessing security of randomizable signaturesDigital Signatures: Reassessing security of randomizable signatures
Digital Signatures: Reassessing security of randomizable signatures
 
C programs
C programsC programs
C programs
 
Let's Learn to Talk to GC Logs in Java 9
Let's Learn to Talk to GC Logs in Java 9Let's Learn to Talk to GC Logs in Java 9
Let's Learn to Talk to GC Logs in Java 9
 
MongoDB Analytics
MongoDB AnalyticsMongoDB Analytics
MongoDB Analytics
 
Identity-based threshold group signature scheme based on multiple hard number...
Identity-based threshold group signature scheme based on multiple hard number...Identity-based threshold group signature scheme based on multiple hard number...
Identity-based threshold group signature scheme based on multiple hard number...
 
pa-pe-pi-po-pure Python Text Processing
pa-pe-pi-po-pure Python Text Processingpa-pe-pi-po-pure Python Text Processing
pa-pe-pi-po-pure Python Text Processing
 
R Language
R LanguageR Language
R Language
 
RSA SIGNATURE: BEHIND THE SCENES
RSA SIGNATURE: BEHIND THE SCENESRSA SIGNATURE: BEHIND THE SCENES
RSA SIGNATURE: BEHIND THE SCENES
 
Asssignment2
Asssignment2 Asssignment2
Asssignment2
 
Dem 7263 fall 2015 Spatial GLM's
Dem 7263 fall 2015 Spatial GLM'sDem 7263 fall 2015 Spatial GLM's
Dem 7263 fall 2015 Spatial GLM's
 
Rsa Signature: Behind The Scenes
Rsa Signature: Behind The Scenes Rsa Signature: Behind The Scenes
Rsa Signature: Behind The Scenes
 
alexnet.pdf
alexnet.pdfalexnet.pdf
alexnet.pdf
 
Georgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityGeorgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software security
 
An Interactive Introduction To R (Programming Language For Statistics)
An Interactive Introduction To R (Programming Language For Statistics)An Interactive Introduction To R (Programming Language For Statistics)
An Interactive Introduction To R (Programming Language For Statistics)
 
Yoyak ScalaDays 2015
Yoyak ScalaDays 2015Yoyak ScalaDays 2015
Yoyak ScalaDays 2015
 
Super Advanced Python –act1
Super Advanced Python –act1Super Advanced Python –act1
Super Advanced Python –act1
 
NCCU CPDA Lecture 12 Attribute Based Encryption
NCCU CPDA Lecture 12 Attribute Based EncryptionNCCU CPDA Lecture 12 Attribute Based Encryption
NCCU CPDA Lecture 12 Attribute Based Encryption
 
Compose Async with RxJS
Compose Async with RxJSCompose Async with RxJS
Compose Async with RxJS
 
R programming language
R programming languageR programming language
R programming language
 

Recently uploaded

Disentangling the origin of chemical differences using GHOST
Disentangling the origin of chemical differences using GHOSTDisentangling the origin of chemical differences using GHOST
Disentangling the origin of chemical differences using GHOST
Sérgio Sacani
 
Presentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptxPresentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptx
gindu3009
 
Isotopic evidence of long-lived volcanism on Io
Isotopic evidence of long-lived volcanism on IoIsotopic evidence of long-lived volcanism on Io
Isotopic evidence of long-lived volcanism on Io
Sérgio Sacani
 
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 bAsymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
Sérgio Sacani
 
Botany 4th semester file By Sumit Kumar yadav.pdf
Botany 4th semester file By Sumit Kumar yadav.pdfBotany 4th semester file By Sumit Kumar yadav.pdf
Botany 4th semester file By Sumit Kumar yadav.pdf
Sumit Kumar yadav
 
❤Jammu Kashmir Call Girls 8617697112 Personal Whatsapp Number 💦✅.
❤Jammu Kashmir Call Girls 8617697112 Personal Whatsapp Number 💦✅.❤Jammu Kashmir Call Girls 8617697112 Personal Whatsapp Number 💦✅.
❤Jammu Kashmir Call Girls 8617697112 Personal Whatsapp Number 💦✅.
Nitya salvi
 
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroidsHubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
Sérgio Sacani
 
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43bNightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
Sérgio Sacani
 
Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...
RohitNehra6
 
Pests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdfPests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdf
PirithiRaju
 
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
Sérgio Sacani
 

Recently uploaded (20)

Recombinant DNA technology (Immunological screening)
Recombinant DNA technology (Immunological screening)Recombinant DNA technology (Immunological screening)
Recombinant DNA technology (Immunological screening)
 
Disentangling the origin of chemical differences using GHOST
Disentangling the origin of chemical differences using GHOSTDisentangling the origin of chemical differences using GHOST
Disentangling the origin of chemical differences using GHOST
 
Presentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptxPresentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptx
 
Isotopic evidence of long-lived volcanism on Io
Isotopic evidence of long-lived volcanism on IoIsotopic evidence of long-lived volcanism on Io
Isotopic evidence of long-lived volcanism on Io
 
Pulmonary drug delivery system M.pharm -2nd sem P'ceutics
Pulmonary drug delivery system M.pharm -2nd sem P'ceuticsPulmonary drug delivery system M.pharm -2nd sem P'ceutics
Pulmonary drug delivery system M.pharm -2nd sem P'ceutics
 
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 bAsymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
 
Physiochemical properties of nanomaterials and its nanotoxicity.pptx
Physiochemical properties of nanomaterials and its nanotoxicity.pptxPhysiochemical properties of nanomaterials and its nanotoxicity.pptx
Physiochemical properties of nanomaterials and its nanotoxicity.pptx
 
Botany 4th semester file By Sumit Kumar yadav.pdf
Botany 4th semester file By Sumit Kumar yadav.pdfBotany 4th semester file By Sumit Kumar yadav.pdf
Botany 4th semester file By Sumit Kumar yadav.pdf
 
Recombination DNA Technology (Nucleic Acid Hybridization )
Recombination DNA Technology (Nucleic Acid Hybridization )Recombination DNA Technology (Nucleic Acid Hybridization )
Recombination DNA Technology (Nucleic Acid Hybridization )
 
Botany krishna series 2nd semester Only Mcq type questions
Botany krishna series 2nd semester Only Mcq type questionsBotany krishna series 2nd semester Only Mcq type questions
Botany krishna series 2nd semester Only Mcq type questions
 
❤Jammu Kashmir Call Girls 8617697112 Personal Whatsapp Number 💦✅.
❤Jammu Kashmir Call Girls 8617697112 Personal Whatsapp Number 💦✅.❤Jammu Kashmir Call Girls 8617697112 Personal Whatsapp Number 💦✅.
❤Jammu Kashmir Call Girls 8617697112 Personal Whatsapp Number 💦✅.
 
Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​
 
Biological Classification BioHack (3).pdf
Biological Classification BioHack (3).pdfBiological Classification BioHack (3).pdf
Biological Classification BioHack (3).pdf
 
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroidsHubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
 
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43bNightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
 
Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...
 
Pests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdfPests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdf
 
Forensic Biology & Its biological significance.pdf
Forensic Biology & Its biological significance.pdfForensic Biology & Its biological significance.pdf
Forensic Biology & Its biological significance.pdf
 
Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...
Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...
Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...
 
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
 

Improved Security Proof for the Camenisch- Lysyanskaya Signature-Based Synchronized Aggregate Signature Scheme

  • 1. 1 Improved Security Proof for the Camenisch- Lysyanskaya Signature-Based Synchronized Aggregate Signature Scheme Masayuki Tezuka Keisuke Tanaka Tokyo Institute of Technology ACISP 2020 Full presentation slide Version: 2020/12/23
  • 3. Aggregate Signature 3 ("#, %#) Signer 1 ('(), *()) Signer 2 ('(#, *(#) Signer + ('(,, *(,) ⋮ ("), %)) (",, %,) ("), %)) ("#, %#) ⋮ (",, %,)
  • 4. Aggregate Signature 4 ("#, %#) Signer 1 ('(), *()) Signer 2 ('(#, *(#) Signer + ('(,, *(,) ⋮ ("), %)) (",, %,) "), ⋯ , ", , Σ Aggregate Signature
  • 5. Aggregate Signature 5 ("#, %#) Signer 1 ('(), *()) Signer 2 ('(#, *(#) Signer + ('(,, *(,) ⋮ ("), %)) (",, %,) "), ⋯ , ", , Σ Aggregate Signature ('(), '(#, ⋯ , '(, ) Verify
  • 6. Types of Aggregate Signature 6 • Full aggregate signature [BGLS03] • Sequential aggregate signature (SeqAS) [LMRS04] • Synchronized aggregate signature (SyncAS) [GR06,AGH10] etc…
  • 7. Full Aggregate Signature [BGLS03] 7 Signer 1 Signer 2 Signer ! ⋯ #$ #% #& ⋯ Σ
  • 8. Sequential Aggregate Signature (SeqAS) [LMRS04] 8 Signer 1 Signer 2 Signer ! Σ# Σ$ Σ% Sign Sign Sign ⋯ ⋯
  • 9. Synchronized Aggregate Signature (SyncAS) [GR06,AGH10] 9 Signer 1 Signer 2 Signer ! ⋯ Time #$ #% &$ &% &' &′$ &′% &′' ⋯ Σ Σ′ ⋯
  • 10. Synchronized Aggregate Signature (SyncAS) [GR06,AGH10] 10 Signer 1 Signer 2 Signer ! ⋯ Time #$ #% &$ &% &' &′$ &′% &′' ⋯ Σ Σ′ ⋯ Application ・ Log data ・ Sensor data ・ Blockchain protocol
  • 11. Syntax of SyncAS [AGH 10] 11 Signer 1 Signer ! ⋯ )me #$ #% &$ &' &′$ &′' ⋯ ⋯ Σ′ *+$ ,+$ *+' ,+' Setup(1/ , 11 ) → ** KeyGen(**) → (*+, ,+) Verify(*+, 4, &) → 0 or 1 AggVerify *+8, 48 89$ ' , Σ → 0 or 1 Aggregate *+8, 48, &8 89$ ' → Σ Sign(,+, #, 4) → &
  • 12. EUF-CMA Security for SyncAS in the Certified-Key Model [AGH 10] 12 Challenger Adversary
  • 13. EUF-CMA Security for SyncAS in the Certified-Key Model [AGH 10] 13 ("", "$∗ ) "" ← Setup(1) , 1* ) "$∗ , +$∗ ← KeyGen("") Challenger Adversary ,-./ ← 1
  • 14. EUF-CMA Security for SyncAS in the Certified-Key Model [AGH 10] 14 ("", "$∗ ) ("$, '$) accept or reject "" ← Setup(1* , 1+ ) "$∗ , '$∗ ← KeyGen("") , ← , ∪ {"$} Challenger Adversary 0123 ← 1 Cert query
  • 15. EUF-CMA Security for SyncAS in the Certified-Key Model [AGH 10] 15 ("", "$∗ ) ("$, '$) accept or reject ( or skip ) σ ← Sign('$∗ , ,-./, () ,-./ ← ,-./ + 1 "" ← Setup(12 , 13 ) "$∗ , '$∗ ← KeyGen("") 4 ← 4 ∪ {"$} Challenger Adversary ,-./ ← 1 Cert query Signing query
  • 16. EUF-CMA Security for SyncAS in the Certified-Key Model [AGH 10] 16 ("", "$∗ ) ("$, '$) accept or reject ( or skip ) σ ← Sign('$∗ , ,-./, () ,-./ ← ,-./ + 1 "" ← Setup(12 , 13 ) "$∗ , '$∗ ← KeyGen("") 4 ← 4 ∪ {"$} "$8, ⋯ , "$: = "$∗ , ⋯ , "$< , (8, ⋯ , (:, ⋯ , (< , Σ) Challenger Adversary ,-./ ← 1 Cert query Signing query
  • 17. EUF-CMA Security for SyncAS in the Certified-Key Model [AGH 10] 17 !"#, ⋯ , !"& = !"∗ , ⋯ , !") , *#, ⋯ , *&, ⋯ , *) , Σ) The adversary wins if: 1. is valid. 2. Never queried *& for the signing oracle. 3. All keys !"#, ⋯ , !") are registered.
  • 18. SyncAS Based on Bilinear Group 18 Scheme Assumption pk size Agg sig size Agg Ver (in parinig) GR06 CDH + ROM ID 3 3 AGH10 CDH 1 3 ! + 3 AGH10 CDH + ROM 1 2 4 LLY13 OT-LRSW + ROM 1 2 3 Most efficient scheme
  • 19. SyncAS Based on Bilinear Group 19 Scheme Assumption pk size Agg sig size Agg Ver (in parinig) GR06 CDH + ROM ID 3 3 AGH10 CDH 1 3 ! + 3 AGH10 CDH + ROM 1 2 4 LLY13 OT-LRSW + ROM 1 2 3 Most efficient scheme ☹ Interactive assumption !
  • 22. (OT-)LRSW Assumption [LRSW99] 22 Adversary Instance Solution Oracle !" O$,& (') (), *, *+, ,, -, . = -$ , 0 = -& ) (!, 2, 3, 4) ! ∉ !" , ! ∈ 78 ∗ , 2 ∈ *, 3 = 2& , 4 = 2$:;$& (2", 2" & , 2" $:;<$& ) 2" ← *
  • 23. Our Contribution 23 Scheme Assumption pk size Agg sig size Agg Ver (parinig) GR06 CDH + ROM ID 3 3 AGH10 CDH 1 3 ! + 3 AGH10 CDH + ROM 1 2 4 LLY13 OT-LRSW + ROM 1 2 3 LLY13 (New Proof) 1-MSDH-2 + ROM ☺ Non-interactive and static assumption !
  • 24. Security proof for LLY SyncAS 24 OT-LRSW assumption [LRSW99] CL Sig [CL04] OT-EUF-CMA LLY AggSig [LLY10] EUF-CMA [CL04] [LLY13] ROM
  • 25. Security proof for LLY SyncAS 25 OT-LRSW assumption [LRSW99] CL Sig [CL04] OT-EUF-CMA LLY AggSig [LLY10] EUF-CMA 1-MSDH-2 assumption [PS18] Modified CL Sig [PS18] OT-EUF-CMA [CL04] [LLY13] [PS18] Our Contribution ROM ROM
  • 26. Our Contribution 26 LLY SyncAS [LLY10] EUF-CMA 1-MSDH-2 assumption [PS18] Modified CL Sig [PS18] OT-EUF-CMA [PS18] Our Result ROM ① ② ③ ④
  • 27. ① !-MSDH-2 Assumption [PS18] 27 Adversary Instance ", $, $%, &, ', '() , '*+() ,-. /0. , '1 , '1*( Solution (2, 3, ℎ 5 678, ℎ 9 6 +:(6)) If we fix ! = 1, we can regard 1-MSDH-2 as a staAc assumpAon. 2 ≠ 0, deg P ≤ !, F + 2 and 3(F) are relative prime.
  • 28. Sign(&', ) ∈ +,) ). ← +,, 0 ← 1∗ , 3 ← 04 5 ← 06 , 7 ← 54 , 8 ← 09 3:9 7:;9 < ← (). , 0, 3, 5, 7, 8) KeyGen(==) &' = (?, @, A) ← +, B C ← 1∗ , D ← C9 , E ← C4 , + ← C6 =' = (C, D, E, +) ② Modified CL Signature (MCL Sig) [PS18] 28 == = (=, 1, 1F, G) Verify =', ), < G 0, E = G(3, C) ? G 0, + = G(5, C) ? G 5, E = G(7, C) ? G 03: 7:. , D = G(8, C) ?
  • 29. ② Modified CL Signature (MCL Sig) [PS18] 29 If the !-MSDH-2 assumption holds, the modified CL signature is EUF-CMA secure. (! is a bound on the number of signing queries. ) If the 1-MSDH-2 assumption holds, the modified CL signature is OT-EUF-CMA secure. Theorem [PS18] We only use
  • 30. ③ LLY SyncAS [LLY13] 30 !! = (!, %, %&, ', (, )*, )+, ),) Public key and Secret key . ← ∏12* 3 .1 = ∏12* 3 )* 4 56 7 )+(4)89 :,;6 56 Σ ← (., 4) Signature on a message = ∈ ?@ in time period 4 Aggregate signature .1 ← )* 4 56 7 )+(4)89 :,;6 56, A ← (.1, 4) BC1 = D1 ← ?@, !C1 = E1 ← (56
  • 31. ④ Overview of Our Security Proof 31 Simulator Adversary (SyncAS) Challenger (MCL)
  • 32. ④ Overview of Our Security Proof 32 Simulator Adversary (SyncAS) ! ← #$ Challenger (MCL) %& ! (!(, *, +, ,, -, .)
  • 33. ④ Overview of Our Security Proof 33 ("", "$∗) Cert query Program hash '()* ← ,- (.′) 0 ← ,1 .′ , 2′ ← ,3 .′, 24 Σ∗ Simulator Adversary (SyncAS) Hash query Signing query 2 ← 67 Challenger (MCL) "$ 2 (28, ', 0, 9, (, :) ;∗ .8 ← [=],
  • 34. ④ Conversion from MCL Sig to LLY SyncAS 34 !" ← (%" & , (", )" ← (" *+, ," ← (" *+, -" ← ," *+, ." ← (" /+-" 0+ 1/+)" 0+/+) MCL signature Σ ← %& , (, ), ,, -, . = 5 "67 8 ." = 5 "67 8 (-01 /+ )0+/+ , 9 Σ ← . = 5 "67 8 ." = 5 "67 8 :7 9 /+:; 9 <= >,0+ /+ , 9 II. Change (-01 to :7 9 , ) to :; 9 , %" to :? 9, %" . I. Force signers to use same %" & , (", )", ,", -".
  • 35. References 1/2 35 [AGH10] Ahn, Green, and Hohenberger. Synchronized aggregate signatures: new definiAons, construcAons and applicaAons. (ACM CCS 2010) [BGLS03] Boneh, Gentry, Lynn,and Shacham. Aggregate and verifiably encrypted signatures from bilinear maps. (EUROCRYPT 2003) [CL04] Camenisch and Lysyanskaya. Signature schemes and anonymous credenAals from bilinear maps. (CRYPTO 2004) [GR06] Gentry and Ramzan. IdenAty-based aggregate signatures. (PKC 2006)
  • 36. References 2/2 36 [LMRS04] Lysyanskaya, Micali, Reyzin, and Shacham. Sequential aggregate signatures from trapdoor permutations. (EUROCRYPT 2004) [LLY 13] Lee, Lee, and Yung. Aggregating CL-signatures revisited: Extended functionality and better efficiency. (FC 2013) [LRSW99] Lysyanskaya, Rivest, Sahai, and Wolf. Pseudonym systems. (SAC1999) [PS16] Pointcheval and Sanders. Short Randomizable Signatures. (CT-RSA 2016) [PS18] Pointcheval and Sanders. Reassessing security of randomizable signatures. (CT-RSA 2018)
  • 37. Appendix: Modified CL Signature 37 !! = (!, %, %&, ') KeyGen(!!) )* = (+, ,, - ) ← /0 1 ← %∗ , 3 ← 14 , 5 ← 16 , / ← 14 !* = (1, 3, 5, / ) Sign()*, ;) ;< ← /0, = ← %∗ , > ← =6 ? ← =@ , A ← ?6 , B ← =4 >C4 ACD4 E ← (;< , =, >, ?, A, B) Verify !*, ;, E ' =, 5 = '(>, 1) ? ' =, / = '(?, 1) ? ' ?, 5 = '(A, 1) ? ' =>C AC< , 3 = '(B, 1) ?