Predicate-Preserving Collision-Resistant Hashing

833 views

Published on

The slides of the defense of my thesis in Santiago de Chile.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
833
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
7
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Predicate-Preserving Collision-Resistant Hashing

  1. 1. November 18, 2013 Predicate-Preserving Collision-Resistant Hashing Philippe Camacho Advisor Alejandro Hevia Co-advisor Jรฉrรฉmy Barbay Marcos Kiwi Committee Gonzalo Navarro Gregory Neven
  2. 2. http://www.theguardian.com/business/2013/apr/23/ap-tweet-hack-wall-street-freefall
  3. 3. Motivation How can I be sure that I obtain Bobโ€™s database data and not something else? I need to outsource my database for scaling reasons Bob Cloud Alice We need to handle a short representation of the database. Database
  4. 4. Collision-Resistance If ๐‘‹ โ‰  ๐‘‹ โ€ฒ and ๐ป ๐‘‹ = ๐ป ๐‘‹โ€™ then the adversary has found a collision. ๐‘‹= openssl.tar.gz V ๐‘‹โ€ฒ = Fileโ€™
  5. 5. Cryptology = Algorithms โˆฉ Security This Thesis Computer Science Databases Datastructures Hash Functions Programming Languages Digital Signatures Algorithms Security Operating Systems Networks Distributed Systems Cryptology
  6. 6. Why Collision-Resistance is not enough ๐‘† = 0111100111111111 How can I convince (efficiently) someone that ๐‘บ โ€ฆ contains a 1 in position 5? starts with 0111? contains more 1โ€™s than 0โ€™s ? โ€ฆ ๐‘†๐ป๐ด โˆ’ 3(๐‘†)
  7. 7. Predicate: P(๐‘‹, ๐‘ฅ) = ๐‘‡๐‘Ÿ๐‘ข๐‘’ ๏ƒณ๐‘ฅ ๐œ– ๐‘‹ ๐ป(๐‘‹) ๐‘‹ = * ๐‘ฅ1 , ๐‘ฅ2 , ๐‘ฅ3 , ๐‘ฅ4 , ๐‘ฅ5 + ๐ป(๐‘‹) ๐œ‹ 1 0 3 ๐‘ท๐’“๐’๐’๐’‡๐‘ช๐’‰๐’†๐’„๐’Œ ๐ป ๐‘‹ , ๐‘ฅ, ๐œ‹ = ๐‘Œ๐ธ๐‘† ๏ƒณ ๐‘ฅ ๐œ– X ๐‘ท๐’“๐’๐’๐’‡๐‘ฎ๐’†๐’(๐‘‹, ๐‘ฅ) = ๐œ‹ 2 Known as Accumulators. A lot of applications: e-cash, zero-knowledge sets, anonymous credentials & ring signatures, database authentication, โ€ฆ
  8. 8. Map Difficult Problem (Still Open BTW) Optimal Data Authentication Accumulators Optimal Data Authentication From Directed Transitive Signatures eprint 4 1 Pivot 6 Strong Accumulators From Collision-Resistant Hashing ISC 2008 2 Transitive Signatures 5 7 Impossibility of Batch Update For Cryptographic Accumulators 3 LatinCrypt 2010 Predicate-Preserving Collision-Resistant Hashing 9 8 2011 Short Transitive Signatures For Directed Trees CT-RSA 2012 Fair Exchange of Short Signatures without CT-RSA Trusted Third Party 2013
  9. 9. Map Optimal Data Authentication Accumulators 1 Difficult Problem (Still Open BTW) Optimal Data Authentication From Directed Transitive Signatures 4 Pivot 6 Strong Accumulators From Collision-Resistant Hashing 2 Transitive Signatures 5 7 Impossibility of Batch Update For Cryptographic Accumulators 3 Predicate-Preserving Collision-Resistant Hashing 9 8 Short Transitive Signatures For Directed Trees Fair Exchange of Short Signatures without Trusted Third Party
  10. 10. Outsourcing Securely a Database How can Alice be sure that the reply she gets corresponds to the real state of the database?
  11. 11. Replay Attack (*) ๐ผ๐‘๐‘†๐ธ๐‘…๐‘‡ (๐‘ฅ) ๐‘†๐‘–๐‘”๐‘›(๐‘†๐พ, ๐‘ฅ) = ๐œŽ ๐‘ฅ ๐‘Œ๐ธ๐‘†: ๐œŽ ๐‘ฅ Does ๐‘ฅ belong to ๐‘‹? (*) The reason why trivial solutions donโ€™t work.
  12. 12. Replay Attack (*) ๐‘Œ๐ธ๐‘†: ๐œŽ ๐‘ฅ ๐ท๐ธ๐ฟ๐ธ๐‘‡๐ธ (๐‘ฅ) Does ๐‘ฅ belong to ๐‘‹? (*) The reason why trivial solutions donโ€™t work.
  13. 13. Manager Acc1, Acc2, Acc3 Insert(x) Witness ( x , ) Verify( x , , Acc3) = YES
  14. 14. Manager Delete(x) Acc1, Acc2, Acc3, Acc4 Alice Verify( x , , Acc4) = NO
  15. 15. Manager Acc1, Acc2, Acc3 Insert(x) Cryptographic Accumulator Witness ( x , ) Verify( x , , Acc3) = YES
  16. 16. Manager Acc1, Acc2, Acc3 x1 Alice 1 w1 x2 w2 Alice 2 x3 w3 Alice 3
  17. 17. Problem: after each update of the accumulated value it is necesarry to recompute all the witnesses.
  18. 18. Batch Update [FN02] Manager โ€ฆ,Acc99, Acc100, Acc101,โ€ฆ, Acc200,โ€ฆ Upd100,200 Alice 1 (x1,w1,Acc100) ( x2,w2,Acc100) ( x6,w6,Acc100) Alice 2 (x36,w36,Acc100) ( x87,w87,Acc100) Alice 29 Alice 42 (x1,w1,Acc100) ( x20,w20,Acc100) ( x69,w68,Acc100) ( x64,w64,Acc100) (x1,w1,Acc100) ( x2,w2,Acc100) ( x6,w6,Acc100) โ€ฆ โ€ฆ.
  19. 19. Batch Update [FN02] Manager โ€ฆ,Acc99, Acc100, Acc101,โ€ฆ, Acc200,โ€ฆ Alice 1 (x1,w1โ€™,Acc200) ( x2,w2โ€™,Acc200) ( x6,w6โ€™,Acc200) Alice 2 (x36,w36โ€™,Acc200) ( x87,w87โ€™,Acc200) Alice 29 Alice 42 (x1,w1โ€™,Acc200) ( x20,w20โ€™,Acc200) ( x69,w68โ€™,Acc200) ( x64,w64โ€™,Acc200) (x1,w1โ€™,Acc200) ( x2,w2โ€™,Acc200) ( x6,w6โ€™,Acc200) โ€ฆ โ€ฆ.
  20. 20. Batch Update [FN02] Trivial solution: ๐‘ˆ๐‘๐‘‘ ๐‘‹ ๐‘–, ๐‘‹๐‘— = *list of all witnesses for ๐‘‹ ๐‘—+ What we would like: |๐‘ˆ๐‘๐‘‘ ๐‘‹ ๐‘–, ๐‘‹๐‘—| = ๐‘‚(1)
  21. 21. Attack on [WWP08] Manager ๐‘ฟ ๐ŸŽ โˆถ= ร˜ Insert ๐’™ ๐Ÿ Delete ๐’™ ๐Ÿ Please send ๐‘ผ๐’‘๐’… ๐‘ฟ ๐Ÿ, ๐‘ผ๐’‘๐’… ๐‘ฟ ๐Ÿ, ๐‘ฟ ๐Ÿ โˆถ= *๐’™ ๐Ÿ+ ๐‘ฟ๐Ÿ ๐‘ฟ๐Ÿ With ๐‘ผ๐’‘๐’… ๐‘ฟ ๐Ÿ, ๐‘ฟ ๐Ÿ I can update my witness ๐’˜ ๐’™ ๐Ÿ But ๐’™ ๐Ÿ does not belong to ๐‘ฟ ๐Ÿ! ๐‘ฟ๐Ÿ =โˆ…
  22. 22. Batch Update is Impossible [CH10] โ€ข Theorem: Let ๐‘จ๐’„๐’„ be a secure accumulator scheme with deterministic ๐‘ผ๐’‘๐’…๐‘พ๐’Š๐’• and ๐‘ฝ๐’†๐’“๐’Š๐’‡๐’š algorithms. For an update involving ๐’Ž delete operations in a set of ๐‘ต elements, the size of the update information ๐‘ผ๐’‘๐’… ๐‘ฟ, ๐‘ฟโ€ฒ required by the algorithm ๐‘ผ๐’‘๐’…๐‘พ๐’Š๐’• is ๏—(๐’Ž log(๐‘ต/๐’Ž)). In particular if ๐’Ž = ๐‘ต/๐Ÿ we have ๐‘ผ๐’‘๐’… ๐‘ฟ, ๐‘ฟโ€ฒ = ๏— ๐’Ž = ๏—(๐‘ต)
  23. 23. Map Optimal Data Authentication Accumulators 1 Difficult Problem (Still Open BTW) Optimal Data Authentication From Directed Transitive Signatures 4 Pivot 6 Strong Accumulators From Collision-Resistant Hashing 2 Transitive Signatures 5 7 Impossibility of Batch Update For Cryptographic Accumulators 3 Predicate-Preserving Collision-Resistant Hashing 9 8 Short Transitive Signatures For Directed Trees Fair Exchange of Short Signatures without Trusted Third Party
  24. 24. What happens when the Database Owner is not Trusted? The adversary is lying! How to prevent such a behaviour? Insert(x) NO OK Belongs(x)
  25. 25. (New) Security Model [CHKO08] ๐ผ๐‘›๐‘ ๐‘’๐‘Ÿ๐‘ก(๐‘ฅ) ๐ผ๐‘›๐‘ ๐‘’๐‘Ÿ๐‘ก(๐‘ฆ) Manager Acc1, Acc2, Acc3 Upd1, Upd2, Upd3 ๐ท๐‘’๐‘™๐‘’๐‘ก๐‘’(๐‘ฅ) ๐‘ฅ โˆˆ ๐‘‹? ๐‘Œ๐‘’๐‘ /๐‘๐‘œ ๐œ‹ ๐‘‰๐‘’๐‘Ÿ๐‘–๐‘“๐‘ฆ๐‘ˆ๐‘๐‘‘ ๐ด๐‘‘๐‘‘ (๐ด๐‘๐‘1 , ๐ด๐‘๐‘2 , ๐‘ˆ๐‘๐‘‘1 ) ๐‘‰๐‘’๐‘Ÿ๐‘–๐‘“๐‘ฆ (๐ด๐‘๐‘3 , ๐‘ฅ, ๐œ‹)
  26. 26. Main Idea of the Construction [CHKO08] โ€ข Merkle Trees [M87] P=H(Z1||Z2) Z2=H(Y3||Y4) Z1=H(Y1||Y2) Root value: Represents the set *๐‘ฅ1, โ€ฆ , ๐‘ฅ8+ Y1=H(x4||x1) x4 x1 Y2=H(x5||x6) x5 x6 Y3=H(x2||x8) x2 x8 Y4=H(x7||x3) x7 x3
  27. 27. Predicate-Preserving CRHF Proof for predicate ๐’™๐Ÿ โˆˆ ๐‘ฟ P=H(Z1||Z2) Z2=H(Y3||Y4) Z1=H(Y1||Y2) Hโ€™ ๐‘‚( log ๐‘›) Y1=H(x4||x1) x4 x1 Y2=H(x5||x6) x5 x6 Y3=H(x2||x8) Y4=H(x7||x3) x2 x7 x8 x3
  28. 28. Technical difficulties โ€ข The tree needs to grow dynamically โ€“ Not enough to use leaves for storing values โ€ข How to handle membership and non-membership predicates โ€“ Kocherโ€™s trick [Koch98] โ€ข ๐‘ฟ = *๐’™ ๐Ÿ , ๐’™ ๐Ÿ , ๐’™ ๐Ÿ‘ , โ€ฆ , ๐’™ ๐’ + โ€ข ๐’™โˆ‰ ๐‘ฟโ‡” ๐’™๐Ÿ < ๐’™< ๐’™๐Ÿ‘ โ€ข Some security issues arise โ€“ Need to apply padding-techniques (Thanks Gregory!)
  29. 29. Main Theorem [CHKO08] โ€ข Theorem: The accumulator is secure if CRHF exist. All operations run in logarithmic time w.r.t. to the size of the set.
  30. 30. Map Optimal Data Authentication Accumulators 1 Difficult Problem (Still Open BTW) Optimal Data Authentication From Directed Transitive Signatures 4 Pivot 6 Strong Accumulators From Collision-Resistant Hashing 2 Transitive Signatures 5 7 Impossibility of Batch Update For Cryptographic Accumulators 3 Predicate-Preserving Collision-Resistant Hashing 9 8 Short Transitive Signatures For Directed Trees Fair Exchange of Short Signatures without Trusted Third Party
  31. 31. A challenging open problem Optimal Data Authentication (ODA) Time to compute the proofs: Time to verify the proof : ๐‘‚(log ๐‘›) ๐‘‚(1)
  32. 32. Using (known) accumulators we only getโ€ฆ โ€ฆ ๐‘› = 9, ๐œ– = 1 ๐‘ถ( ๐’) v/s ๐‘ถ(๐Ÿ) ๐‘› = 9, ๐œ– = 2 ๐‘ถ( ๐’) v/s ๐‘ถ(๐Ÿ) ๐œ– = log ๐‘› ๐‘ถ(๐ฅ๐จ๐  ๐’) v/s ๐‘ถ(๐ฅ๐จ๐  ๐’) Trade off (Time to compute the proof v/s Time to Verify the proofs) ๐‘ถ(๐ ๐’ ๐Ÿ/๐ ) v/s ๐‘ถ ๐
  33. 33. Intro to Cryptology 0 Map Optimal Data Authentication Accumulators 1 Difficult Problem (Still Open BTW) Optimal Data Authentication From Directed Transitive Signatures 4 Pivot 6 Strong Accumulators From Collision-Resistant Hashing 2 Transitive Signatures 5 7 Impossibility of Batch Update For Cryptographic Accumulators 3 Predicate-Preserving Collision-Resistant Hashing 9 8 Short Transitive Signatures For Directed Trees Fair Exchange of Short Signatures without Trusted Third Party
  34. 34. How do we sign a graph? Is there a path from ๐‘Ž to ๐‘? ๐‘ฎ a b
  35. 35. Trivial Solutions Let ๐’ = |๐‘ฎ|, security parameter ๐›‹ When adding a new nodeโ€ฆ โ€ข Sign each edge โ€“ Time to sign: ๐‘ถ(๐Ÿ) โ€“ Size of signature: ๐‘ถ(๐’๐œฟ) bits โ€ข Sign each path โ€“ Time to sign (new paths): ๐‘ถ(๐’) โ€“ Size of signature: ๐‘ถ(๐œฟ) bits
  36. 36. Transitive Signature Schemes [MR02,BN05,SMJ05] Combiner ๐œŽ ๐‘‹๐‘Œ โ† ๐‘‡๐‘†๐‘–๐‘”๐‘›(๐‘‹, ๐‘Œ, ๐œŽ ๐‘‹๐‘Œ, ) ๐ด ๐œŽ ๐ด๐ถ โ† ๐ถ๐‘œ๐‘š๐‘๐‘–๐‘›๐‘’(๐œŽ ๐ด๐ต,๐œŽ ๐ต๐ถ , ๐œŽ ๐ด๐ต ๐ต ๐œŽ ๐ด๐ถ ) ๐œŽ ๐ต๐ถ โ† ๐‘‡๐‘‰๐‘’๐‘Ÿ๐‘–๐‘“๐‘ฆ(๐ด, ๐ถ, ๐œŽ ๐ด๐ถ , ๐ถ )
  37. 37. ๐ท๐‘‡๐‘† โ‡’ ๐‘‚๐ท๐ด [C11] ๐‘ก1 ๐‘ก2 ๐‘ก3 ๐‘ถ(log ๐’) ๐‘ฅ1 ๐‘ฅ2 ๐‘ฅ3 โ€ฆ โ€ฆ ๐‘ฅ15 ๐‘ฆ15 ๐‘ฆ19 ๐‘ฅ19 โ€ฆ ๐‘ฅ25 ๐‘ฅ26 ๐‘ฅ27
  38. 38. Sounds good, butโ€ฆ โ€ข [MR02,BN05,SMJ05] for UNDIRECTED graphs โ€ข Transitive Signatures for Directed Graphs (DTS) still OPEN โ€ข [Hoh03] DTS โ‡’ Trapdoor Groups with Infeasible Inversion
  39. 39. Intro to Cryptology 0 Map Optimal Data Authentication Accumulators 1 Difficult Problem (Still Open BTW) Optimal Data Authentication From Directed Transitive Signatures 4 Pivot 6 Strong Accumulators From Collision-Resistant Hashing 2 Transitive Signatures 5 7 Impossibility of Batch Update For Cryptographic Accumulators 3 Predicate-Preserving Collision-Resistant Hashing 9 8 Short Transitive Signatures For Directed Trees Fair Exchange of Short Signatures without Trusted Third Party
  40. 40. Transitive Signatures for Directed Trees
  41. 41. Previous Work โ€ข [Yi07] โ€ข Signature size: ๐’ log(๐’ log ๐’) bits โ€ข Better than ๐‘ถ(๐’๐œฟ) bits for the trivial solution โ€ข RSA related assumption โ€ข [Neven08] โ€ข Signature size: ๐’ log ๐’ bits โ€ข Standard Digital Signatures ๐‘ถ(๐’ log ๐’) bits still impractical
  42. 42. Our Results โ€ข For ๐ โ‰ฅ ๐Ÿ ๐‘ถ(๐) ๐‘ถ(๐(๐’ ๐œฟ)1/๐ ) ๐‘ถ(๐๐œฟ) bits โ€ข Time to sign edge / verify path signature: โ€ข Time to compute a path signature: โ€ข Size of path signature: Examples Time to sign edge / verify path signature Time to compute a path signature Size of path signature ๐= ๐Ÿ ๐= ๐Ÿ ๐ = log(๐’) ๐‘ถ(๐Ÿ) ๐‘ถ(๐Ÿ) ๐‘ถ(log ๐’) ๐‘ถ(๐’/๐œฟ) ๐‘ถ(๐œฟ) ๐‘ถ( ๐’/๐œฟ) ๐‘ถ(๐œฟ) ๐‘ถ(log ๐’) ๐‘ถ(๐œฟ log ๐’)
  43. 43. Pre/Post Order Tree Traversal a b h d i c e f j g Pre order: a b c d e f g h i j k Post order: c e f g d b i j k h a k
  44. 44. Property of Pre/Post order Traversal โ€ข Proposition [Dietz82] There is a path from ๐’™ to ๐’š ๐’‘๐’๐’” ๐’™ < ๐’‘๐’๐’” ๐’š in ๐‘ท๐’“๐’† ๐’‘๐’๐’” ๐’š < ๐’‘๐’๐’”(๐’™) in ๐‘ท๐’๐’”๐’• โ‡” a b h d i c e f j g Pre order: a b c d e f g h i j k Post order: c e f g d b i j k h a k
  45. 45. Idea Is there a path from ๐‘Ž to ๐‘’? Compute ๐’‘๐’๐’”(๐’™) in ๐‘ท๐’“๐’† and ๐‘ท๐’๐’”๐’• E.g.: Sign ๐’‚||๐Ÿ||๐Ÿ๐ŸŽ โ€ข โ€ข Signature of path (๐’‚, ๐’†): โ€ข Signature of ๐’‚||๐Ÿ||๐Ÿ๐ŸŽ โ€ข Signature of ๐’†||๐Ÿ“||๐Ÿ a b ๐‘ฎ h d j i c e k โ€ข โ€ข Check signatures Check ๐Ÿ < ๐Ÿ“ ๐Ÿ๐ŸŽ > ๐Ÿ Challenge: handle changes f Position 1 2 3 4 5 6 7 8 9 10 Pre a b c d e f h i j Post c e f d b i j h a k k Intuition: tricks to assign labels to the vertices so that these labels do not change. We use Order DS. Remaining task: to compare large labels efficiently
  46. 46. Predicate: P(๐‘†, ๐‘ƒ) = ๐‘‡๐‘Ÿ๐‘ข๐‘’ ๏ƒณ ๐‘ƒ and S share a common prefix ๐ป(๐‘†), ๐ป(๐‘ƒ) ๐‘† = 1000111 ๐‘ƒ = 10000 1 0 2 ๐‘ท๐’“๐’๐’๐’‡๐‘ฎ๐’†๐’(๐‘†, ๐‘ƒ) = ๐œ‹ ๐ป ๐‘† , ๐ป(๐‘ƒ) ๐œ‹ 3 ๐‘ท๐’“๐’๐’๐’‡๐‘ช๐’‰๐’†๐’„๐’Œ ๐ป ๐‘† , ๐ป(๐‘ƒ), ๐œ‹ = ๐‘Œ๐ธ๐‘† ๏ƒณ ๐‘ƒ and ๐‘† share a common prefix until position 4 Very easy to derive a bigger family of predicates: โ€ข Suffix โ€ข Substring โ€ข Compare through lexicographical order โ€ข โ€ฆ
  47. 47. Security ๐‘ฏ๐‘ฎ๐’†๐’(๐Ÿ ๐œฟ, ๐’) โ†’ ๐‘ท๐‘ฒ ๐‘จ๐’…๐’— ๐‘จ = ๐๐ซ (๐‘จ, ๐‘ฉ, ๐…, ๐’Š) ๐‘ท๐’“๐’๐’๐’‡๐‘ช๐’‰๐’†๐’„๐’Œ ๐‘ฏ ๐‘จ , ๐‘ฏ ๐‘ฉ , ๐’Š, ๐…, ๐‘ท๐‘ฒ = ๐‘ป๐’“๐’–๐’† โˆง ๐‘จ ๐Ÿ. . ๐’Š โ‰  ๐‘ฉ ๐Ÿ. . ๐’Š
  48. 48. Bilinear maps (pairings) โ€ข ๐‘, ๐‘’, ๐บ, ๐บ ๐‘‡ , ๐‘” โ† ๐ต๐‘€๐บ๐‘’๐‘› 1 ๐‘˜ โ€ข ๐บ = ๐บ๐‘‡ = ๐‘ โ€ข ๐‘’: ๐บ ร— ๐บ โ†’ ๐บ ๐‘‡ ๐‘Ž ๐‘ โ€ข ๐‘’ ๐‘” , ๐‘” = ๐‘’ ๐‘”, ๐‘” โ€ข ๐‘’ ๐‘”, ๐‘” generates ๐บ ๐‘‡ ๐‘Ž๐‘ AMAZING TOOL: โ€ข Started in 2001 โ€ข Thousands of publications โ€ข Dedicated Conference (Pairings)
  49. 49. n-BDHI assumption [BB04] ๐’†: ๐‘ฎ ร— ๐‘ฎ โ†’ ๐‘ฎ ๐‘ป ๐’” โ† ๐’๐’‘ ๐’ˆ generator of๐’ ๐‘ฎ ๐Ÿ ๐’”, ๐’ˆ ๐’” , โ€ฆ , ๐’ˆ ๐’” ) (๐’ˆ ๐’†(๐’ˆ, ๐’ˆ) ๐Ÿ ๐’”
  50. 50. The Hash Function โ€ข ๐‘ฏ๐‘ฎ๐’†๐’(๐Ÿ ๐œฟ, ๐’) ๐’‘, ๐‘ฎ, ๐‘ฎ ๐‘ป, ๐’†, ๐’ˆ โ† ๐ต๐‘€๐บ๐‘’๐‘› 1 ๐œ… ๐’” โ† ๐’๐’‘ ๐Ÿ ๐’ ๐‘ป: = (๐’ˆ ๐’” , ๐’ˆ ๐’” , โ€ฆ , ๐’ˆ ๐’” ) return ๐‘ท๐‘ฒ: = (๐’‘, ๐‘ฎ, ๐‘ฎ ๐‘ป, ๐’†, ๐’ˆ, ๐‘ป) โ€ข ๐‘ฏ๐‘ฌ๐’—๐’‚๐’(๐‘ด, ๐‘ท๐‘ฒ) ๐’ ๐‘ฏ(๐‘ด) โˆถ= ๐’ˆ ๐‘ด ๐’Š ๐’”๐’Š ๐’Š=๐Ÿ Toy example: ๐‘ด = ๐Ÿ๐ŸŽ๐ŸŽ๐Ÿ โ‡’ ๐‘ฏ ๐‘ด = ๐’ˆ ๐’” . ๐’ˆ ๐’” ๐Ÿ’
  51. 51. Generating & Verifying Proofs โ€ข ๐‘จ = ๐‘จ ๐Ÿ. . ๐’ = ๐Ÿ๐ŸŽ๐ŸŽ๐ŸŽ๐Ÿ๐Ÿ๐Ÿ๐ŸŽ๐ŸŽ๐Ÿ โ€ข ๐‘ฉ = ๐‘ฉ,๐Ÿ. . ๐’- = ๐Ÿ๐ŸŽ๐ŸŽ๐ŸŽ๐Ÿ๐ŸŽ๐Ÿ๐Ÿ๐ŸŽ๐ŸŽ โ€ข ๐œŸ โˆถ= โ€ข ๐œŸ= ๐‘ฏ ๐‘จ ๐‘ฏ ๐‘ฉ ๐’ ๐’‹=๐Ÿ = ๐’ˆ ๐Ÿ“ ๐Ÿ” ๐Ÿ• ๐’ˆ๐’” ๐’ˆ๐’” ๐’ˆ๐’” ๐’ˆ๐’” ๐’ˆ๐’” ๐Ÿ“ ๐Ÿ• ๐Ÿ– ๐’ˆ๐’” ๐’ˆ๐’” ๐’ˆ๐’” ๐’ˆ๐’” ๐‘ช ๐’‹ ๐’”๐’‹ ๐Ÿ๐ŸŽ = ๐’ˆ ๐’” ๐Ÿ” ๐’ˆ โˆ’๐’” ๐Ÿ– ๐’ˆ ๐’” ๐Ÿ๐ŸŽ with ๐‘ช = ,๐ŸŽ, ๐ŸŽ, ๐ŸŽ, ๐ŸŽ, ๐ŸŽ, ๐Ÿ, ๐ŸŽ, โˆ’๐Ÿ, ๐ŸŽ, ๐Ÿ-
  52. 52. Generating & Verifying Proofs โ€ข ๐œŸ= ๐’ ๐’‹=๐Ÿ ๐’ˆ ๐‘ช ๐’‹ ๐’”๐’‹ with ๐‘ช = ,๐ŸŽ, ๐ŸŽ, ๐ŸŽ, ๐ŸŽ, ๐ŸŽ, ๐Ÿ, ๐ŸŽ, โˆ’๐Ÿ, ๐ŸŽ, ๐Ÿ- โ€ข โ€œRemoveโ€ factor ๐ฌ ๐ข+1 in the exponent without knowing ๐ฌ ๐…โ‰” ๐Ÿ ๐œŸ ๐’” ๐’Š+๐Ÿ ๐’ = ๐’ˆ ๐‘ช ๐’‹ ๐’” ๐’‹โˆ’๐’Šโˆ’๐Ÿ = ๐’ˆ ๐’ˆ ๐’‹=๐’Š+๐Ÿ โ€ข Check the proof : ๐’” ๐’Š+1 ) ๐’†(๐…,๐’ˆ = ๐’†(๐œŸ, ๐’ˆ) โˆ’๐’” ๐Ÿ ๐’ˆ ๐’”๐Ÿ’
  53. 53. Security [CH12] โ€ข Proposition: If the n-BDHI assumption holds, then the previous construction is a CRHF that preserves the common-prefix predicate. โ€ข Proof (idea) ๐€ = ๐Ÿ๐ŸŽ๐ŸŽ๐ŸŽ๐Ÿ๐ŸŽ ๐ = ๐Ÿ๐ŸŽ๐Ÿ๐ŸŽ๐ŸŽ๐Ÿ ๐ข = ๐Ÿ‘ ๐ ๐ฌ ๐ ๐ฌ ๐Ÿ“ ๐‡ ๐€ = ๐Ÿ‘ ๐Ÿ” ๐ฌ ๐ ๐ฌ ๐ ๐ฌ ๐‡ ๐ = ๐  ๐šซ = ๐‡ ๐€ ๐‡ ๐ ๐›‘ = ๐šซ ๐Ÿ ๐’”๐Ÿ’ = ๐  โˆ’๐’” ๐Ÿ‘ = ๐  ๐  โˆ’๐Ÿ ๐’” ๐ฌ ๐Ÿ“ ๐ ๐ฌ ๐’ˆโˆ’๐’” ๐  ๐Ÿ” โˆ’๐ฌ ๐Ÿ
  54. 54. Tradeoff ๐’ = ๐Ÿ“๐Ÿ’, ๐œฟ = ๐Ÿ, ๐’ ๐œฟ = ๐Ÿ“๐Ÿ’ ๐Ÿ = ๐Ÿ๐Ÿ• ๐€ = ๐Ÿ‘ โ‡’ (๐’ ๐œฟ) ๐Ÿ ๐€ = ๐Ÿ‘ ๐šบ = ๐’‚, ๐’ƒ, ๐’„, ๐’…
  55. 55. Map Optimal Data Authentication Accumulators 1 Difficult Problem (Still Open BTW) Optimal Data Authentication From Directed Transitive Signatures 4 Pivot 6 Strong Accumulators From Collision-Resistant Hashing 2 Transitive Signatures 5 7 Impossibility of Batch Update For Cryptographic Accumulators 3 Predicate-Preserving Collision-Resistant Hashing 9 8 Short Transitive Signatures For Directed Trees Fair Exchange of Short Signatures without Trusted Third Party
  56. 56. Modeling Transactions with Digital Signatures The problem: Who starts first? Impossibility Result [Cleve86] Software License Digital Check Buyer Seller
  57. 57. Gradual Release of a Secret Bobโ€™s signature Aliceโ€™s signature 1 1001 0 Allows to circumvent Cleveโ€™s impossibility result 0 (relaxed security definition). 1 0 1 How do I know that the bit I received 1 is not garbage? 1 0111
  58. 58. Contributions โ€ข Formal definition of Partial Fairness โ€ข Efficiency ๐œฟ: Security Parameter # Rounds Communication # Crypto operations per participant ๐œ…+5 ๐œฟ = ๐Ÿ๐Ÿ”๐ŸŽ 165 16๐œ… 2 + 12๐œ… bits โ‰ˆ 52 kB โ‰ˆ 30๐œ… โ‰ˆ 4800 โ€ข First protocol for Boneh-Boyen signatures
  59. 59. I will try to open the box with another value. I will attempt to find out what is in the box before I get the key. Commitments Commitment secret 1 3 2 + secret = secret The secret is revealed.
  60. 60. Zero-Knowledge Proofs of Knowledge Prove you know the content of the box and something about this content without opening the box. I want to fool Alice: Make her believe that the value in the box is binary while it is not (e.g: 15). 1 I want to know exactly what is in the box (not only that the secret is a bit). 0 , ๐œ‹ 2 0 + ๐œ‹ = Yes / No
  61. 61. Intuition of the Construction [C13] 1 Signature + 35 = 100011 2 Encrypted Signature = 2 1 3 ๐œ‹1 Each small box contains a bit. ๐œ‹2 The sequence of small boxes is the binary decomposition of the secret inside the big box. 4 1 0 0 0 0 0 0 1 1 1 1
  62. 62. Conclusion โ€ข We introduced the concept of Predicate-Preserving Collision-Resistant Hashing โ€ข Many open questions โ€“ Optimal Data Authentication โ€“ Relationship between predicate complexity and size for proofs โ€“ Apply these techniques to authenticated pattern matching โ€“ Find new applicationsโ€ฆ
  63. 63. Bibliography โ€ข โ€ข โ€ข โ€ข โ€ข โ€ข โ€ข โ€ข [BB04] Dan Boneh and Xavier Boyen. Short Signatures Without Random Oracles. In Christian Cachin and Jan Camenisch, editors, EUROCRYPT 2004. [ BN05] Mihir Bellare and Gregory Neven. Transitive Signatures: New Schemes and Proofs. IEEE Transactions on Information Theory, 51(6):2133โ€“2151, 2005. [ Cleve86] Richard Cleve. Limits on the security of coin flips when half the processors are faulty. In STOC, 1986. [ Dietz82 ] Paul F. Dietz. Maintaining Order in a Linked List. In STOC, pages 122โ€“ 127. ACM Press, May 1982. [ FN02] Nelly Fazio and Antonio Nicolisi. Cryptographic Accumulators: Definitions, Constructions and Applications. Technical report, 2002. [GM84] Goldwasser, Shafi, and Silvio Micali. "Probabilistic encryption." Journal of computer and system sciences , 1984 [GMR88] Shafi Goldwasser, Silvio Micali, and Ronald L. Rivest. A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks. SIAM, 1988. [ Hoh03] Susan Rae Hohenberger. The Cryptographic Impact of Groups with Infeasible Inversion. Masterโ€™s thesis, Massachusetts Institute of Technology, 2003.
  64. 64. Bibliography โ€ข โ€ข โ€ข [MR02] Silvio Micali and Ronald Rivest. Transitive Signature Schemes. In Bart Preneel, editor, CT-RSA, 2002. [SMJ05] Siamak Fayyaz Shahandashti, Mahmoud Salmasizadeh, and Javad Mohajeri. A Provably Secure Short Transitive Signature Scheme from Bilinear Group Pairs. In Carlo Blundo and Stelvio Cimato, editors, Security in Communication Networks, 2005. [WWP08] Peishun Wang, Huaxiong Wang, and Josef Pieprzyk. Improvement of a Dynamic Accumulator at ICICS 07 and Its Application in Multi-user Keyword-Based Retrieval on Encrypted Data. In Asia-Pacific Conference on Services Computing, 2008.
  65. 65. Strong Accumulators from CRHF
  66. 66. Hashing: padding-techniques The trees are different yet yield the same hash value. We need to hash the final value (root) and concatenated with some data on the โ€œshapeโ€ of the tree: ๐‘ฏ(๐‘ฏโ€™(๐’‚||๐’ƒ)||๐Ÿ||๐Ÿ)
  67. 67. Batch Update
  68. 68. Batch Update is Impossible [CH10] โ€ข Theorem: Let ๐‘จ๐’„๐’„ be a secure accumulator scheme with deterministic ๐‘ผ๐’‘๐’…๐‘พ๐’Š๐’• and ๐‘ฝ๐’†๐’“๐’Š๐’‡๐’š algorithms. For an update involving ๐’Ž delete operations in a set of ๐‘ต elements, the size of the update information ๐‘ผ๐’‘๐’… ๐‘ฟ, ๐‘ฟโ€ฒ required by the algorithm ๐‘ผ๐’‘๐’…๐‘พ๐’Š๐’• is ๏—(๐’Ž log(๐‘ต/๐’Ž)). In particular if ๐’Ž = ๐‘ต/๐Ÿ we have |๐‘ผ๐’‘๐’… ๐‘ฟ, ๐‘ฟโ€ฒ| = ๏— (๐’Ž) = (๐‘ต)
  69. 69. Proof 1/3 Manager User X={x1,x2,โ€ฆ,xN} X={x1,x2,โ€ฆ,xN} AccX , {w1,w2,โ€ฆ,wN} Compute AccX, {w1,w2,โ€ฆ,wN} Delete Xd:={xi1,xi2,โ€ฆ,xim} Xโ€™ := XXd AccXโ€™ , UpdX,Xโ€™ Compute AccXโ€™,UpdX,Xโ€™
  70. 70. Proof 2/3 CASE 1 User X={x1,x2,โ€ฆ,xN} {w1,โ€ฆ,wN} AccX, AccXโ€™, UpdX,Xโ€™ CASE 2 If x is not in Xโ€™ => Scheme insecure If x is in Xโ€™ => Scheme incorrect x still in Xโ€™ x not in Xโ€™ anymore YES For each element x xั”X wโ€™ := UpdWit(w,AccX,AccXโ€™,UpdX,Xโ€™) CASE 1 wโ€™ valid? NO CASE 2 User can reconstruct the set Xd
  71. 71. Proof 3/3 โ€ข There are ( ) subsets of m elements in a set of N elements N m โ€ข We need log( to encode Xd N m ) โ‰ฅ m log(N/m) bits
  72. 72. Transitive Signatures
  73. 73. If the ๐‘‰๐‘’๐‘Ÿ๐‘–๐‘“๐‘ฆ algorithm returns ๐‘Œ๐ธ๐‘†, I am sure Alice is the author of message ๐‘š. Digital Signatures SK PK PK ๐œŽ = ๐‘†๐‘–๐‘”๐‘›(๐‘†๐พ, ๐‘š) ๐‘Œ๐ธ๐‘†/๐‘๐‘‚ = ๐‘‰๐‘’๐‘Ÿ๐‘–๐‘“๐‘ฆ(๐‘ƒ๐พ, ๐œŽ, ๐‘š)
  74. 74. Security for Digital Signatures [GMR88] ๐‘ƒ๐พ Signature request for message ๐‘š1 (Adversary) ๐œŽ1 (Oracle) Signature request for message ๐‘š2 ๐œŽ2 โ€ฆ Signature request for message ๐‘š ๐‘– ๐œŽ๐‘– This should not happen! (๐œŽ, ๐‘š) such that ๐‘‰๐‘’๐‘Ÿ๐‘–๐‘“๐‘ฆ(๐‘ƒ๐พ, ๐œŽ, ๐‘š) returns ๐‘Œ๐ธ๐‘† but ๐‘š has not been requested before
  75. 75. Security of transitive signatures [MR02] (๐ด, ๐ต) ๐œŽ ๐ด๐ต (๐ต, ๐ถ) ฯƒBC (๐ต, ๐ท) ๐œŽ ๐ต๐ท (๐ด, ๐ธ) ๐œŽ ๐ด๐ธ ๐ด ๐ต ๐ถ E ๐ท ๐œŽ โˆ— , ๐ต, ๐ธ : โ† ๐‘‡๐‘‰๐‘’๐‘Ÿ๐‘–๐‘“๐‘ฆ(๐ต, ๐ธ, ๐œŽ โˆ— , ) and There is no path from ๐‘ฉ to ๐‘ฌ
  76. 76. ODA is still open โ€ข [PTT10] Papamanthou, Charalampos, Roberto Tamassia, and Nikos Triandopoulos. "Optimal authenticated data structures with multilinear forms." Pairing-Based CryptographyPairing 2010. Springer Berlin Heidelberg, 2010. 246-264. โ€ข [CLT13] Coron, Jean-Sรฉbastien, Tancrede Lepoint, and Mehdi Tibouchi. "Practical Multilinear Maps over the Integers." IACR Cryptology ePrint Archive 2013 (2013): 183. [PTT10] Only works for the two-party model. Size of proof are ๐‘ถ(๐Ÿ) but time to verify is ๐‘ถ log ๐’ . [CLT13] We know how to build multilinear maps!
  77. 77. Fair Exchange
  78. 78. Partial Fairness ๐‘‚ ๐‘†๐‘–๐‘”๐‘› ๐‘ ๐‘˜ ๐ต ,โ‹… (๐‘ ๐‘˜ ๐ด , ๐‘๐‘˜ ๐ด ) ๐‘š ๐ด, ๐‘š ๐ต Not queried to signing oracle ๐‘‚ ๐‘†๐‘–๐‘”๐‘› ๐‘š ๐ด , ๐‘š ๐ต , ๐‘๐‘˜ ๐ด (๐‘ ๐‘˜ ๐ต , ๐‘๐‘˜ ๐ต ) ๐œŽ ๐ต on ๐‘š ๐ด ฯƒ ๐ด on ๐‘š ๐ต ฯƒโˆ— on ๐‘šโˆ— Bet according to partially released secret
  79. 79. Simultaneous Hardness of Bits for Discrete Logarithm Holds in the generic group model [Schnorr98] An adversary cannot distinguish between a random sequence of ๐œฟ โˆ’ ๐’ bits and the first ๐œฟ โˆ’ ๐’ bits of ๐œฝ given ๐’ˆ ๐œฝ . ๐‘™ = ๐œ”( log ๐œ…)
  80. 80. Provable Security
  81. 81. Provable Security 1. Define โ€œSecureโ€ (formally) Itโ€™s not that easy. E.g. [GM84] 2. Design your solution We want: If conjecture is true then NO adversary can break the security. We prove: If adversary can break the security then the conjecture is false. 3. Prove it is secure with respect to definition proposed in step 1 4. Donโ€™t forget to mention your assumptions (mathematical conjectures) E.g. : Factoring is hard.
  82. 82. Provable Security 1. Given a random hash function ๐‘ฏ it should be hard for any adversary to find to messages ๐’Ž, ๐’Žโ€™ such that ๐‘ฏ(๐’Ž) = ๐‘ฏ(๐’Žโ€™) and ๐’Ž โ‰  ๐’Žโ€™ 2. ๐‘ฎ a cyclic group , ๐’ˆ a generator, ๐œถ a random value set ๐’‰: = ๐’ˆ ๐œถ and define for ๐’Ž = ๐’Ž ๐Ÿ ||๐’Ž ๐Ÿ : ๐‘ฏ(๐’Ž ๐Ÿ | ๐’Ž ๐Ÿ โˆถ= ๐’ˆ ๐’Ž ๐Ÿ ๐’‰ ๐’Ž ๐Ÿ 3. If adversary finds different ๐’Ž, ๐’Žโ€™ such that ๐‘ฏ(๐’Ž) = ๐‘ฏ(๐’Žโ€™) then we can deduce ๐œถ . 4. Discrete logarithm is hard: given ๐’ˆ, ๐’‰ itโ€™s difficult (takes a lot of time) to compute ๐œถ such that ๐’‰ = ๐’ˆ ๐œถ

ร—