On the Practicality of Short Signature Batch Verification

As pervasive communication becomes a reality, where everything from vehicles to heart monitors constantly communicate with their environments, system designers are facing a cryptographic puzzle on how to authenticate messages. These scenarios require that : (1) cryptographic overhead remain short, and yet (2) many messages from many different signers be verified very quickly. Pairingbased signatures have property (1) but not (2), whereas schemes like RSA have property (2) but not (1). As a solution to this dilemma, in Eurocrypt 2007, Camenisch, Hohenberger and Pedersen showed how to batch verify two pairing-based signatures so that the total number of pairing operations was independent of the number of signatures to verify. CHP left open the task of batching privacy-friendly authentication, which is desirable in many pervasive communication scenarios. In this work, we revisit this issue from a more practical standpoint and present the following results: 1. We describe a framework, consisting of general techniques, to help scheme and system designers understand how to securely and efficiently batch the verification of pairing equations. 2. We present a detailed study of when and how our framework can be applied to existing regular, identity-based, group, ring, and aggregate signature schemes. To our knowledge, these batch verifiers for group and ring signatures are the first proposals for batching privacy-friendly authentication, answering an open problem of Camenisch et al. 3. While prior work gave mostly asymptotic efficiency comparisons, we show that our framework is practical by implementing our techniques and giving detailed performance measurements. Additionally, we discuss how to deal with invalid signatures in a batch and our empirical results show that when ≤ 10% of signatures are invalid, batching remains more efficient that individual verification. Indeed, our results show that batch verification for short signatures is an effective, efficient approach.

[1]  Jung Hee Cheon,et al.  An Identity-Based Signature from Gap Diffie-Hellman Groups , 2003, Public Key Cryptography.

[2]  Hovav Shacham,et al.  Group signatures with verifier-local revocation , 2004, CCS '04.

[3]  Marc Joye,et al.  A Practical and Provably Secure Coalition-Resistant Group Signature Scheme , 2000, CRYPTO.

[4]  Kenneth G. Paterson,et al.  Pairings for Cryptographers , 2008, IACR Cryptol. ePrint Arch..

[5]  Alfred Menezes,et al.  Reducing elliptic curve logarithms to logarithms in a finite field , 1991, STOC '91.

[6]  Ronald L. Rivest,et al.  Lightweight Email Signatures (Extended Abstract) , 2006, SCN.

[7]  Xavier Boyen,et al.  Mesh Signatures : How to Leak a Secret with Unwitting and Unwilling Participants , 2007, IACR Cryptol. ePrint Arch..

[8]  Sanjit Chatterjee,et al.  Trading Time for Space: Towards an Efficient IBE Scheme with Short(er) Public Parameters in the Standard Model , 2005, ICISC.

[9]  Liqun Chen,et al.  Identity-based key agreement protocols from pairings , 2017, International Journal of Information Security.

[10]  Alfred Menezes,et al.  Pairing-Based Cryptography at High Security Levels , 2005, IMACC.

[11]  Ran Canetti,et al.  Efficient and Secure Source Authentication for Multicast , 2001, NDSS.

[12]  Dan Boneh,et al.  Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups , 2008, Journal of Cryptology.

[13]  Rosario Gennaro,et al.  How to Sign Digital Streams , 1997, Inf. Comput..

[14]  Jennifer Seberry,et al.  Identi cation of Bad Signatures in , 2006 .

[15]  Florian Hess,et al.  Efficient Identity Based Signature Schemes Based on Pairings , 2002, Selected Areas in Cryptography.

[16]  Brent Waters,et al.  Efficient Identity-Based Encryption Without Random Oracles , 2005, EUROCRYPT.

[17]  Serge Vaudenay,et al.  Short 2-Move Undeniable Signatures , 2006, VIETCRYPT.

[18]  Tsz Hon Yuen,et al.  ID-Based Ring Signature Scheme Secure in the Standard Model , 2006, IWSEC.

[19]  Dan Boneh,et al.  Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles , 2004, IACR Cryptol. ePrint Arch..

[20]  Mihir Bellare,et al.  Fast Batch Verification for Modular Exponentiation and Digital Signatures , 1998, IACR Cryptol. ePrint Arch..

[21]  Hovav Shacham,et al.  Aggregate and Verifiably Encrypted Signatures from Bilinear Maps , 2003, EUROCRYPT.

[22]  Hovav Shacham,et al.  Short Group Signatures , 2004, CRYPTO.

[23]  Brian J. Matt,et al.  Finding Invalid Signatures in Pairing-Based Batches , 2007, IMACC.

[24]  Roberto Tamassia,et al.  Multicast authentication in fully adversarial networks , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[25]  Maxim Raya,et al.  Securing vehicular ad hoc networks , 2007, J. Comput. Secur..

[26]  Siu-Ming Yiu,et al.  Efficient Identity Based Ring Signature , 2005, ACNS.

[27]  David Naccache,et al.  Secure and Practical Identity-based Encryption , 2005 .

[28]  Rafail Ostrovsky,et al.  Sequential Aggregate Signatures and Multisignatures Without Random Oracles , 2006, EUROCRYPT.

[29]  Zuhua Shao,et al.  Enhanced Aggregate Signatures from Pairings , 2005, CISC.

[30]  Sanjit Chatterjee,et al.  HIBE With Short Public Parameters Without Random Oracle , 2006, ASIACRYPT.

[31]  Frederik Vercauteren,et al.  A comparison of MNT curves and supersingular curves , 2006, Applicable Algebra in Engineering, Communication and Computing.

[32]  Serge Vaudenay,et al.  Undeniable Signatures Based on Characters: How to Sign with One Bit , 2004, Public Key Cryptography.

[33]  Brent Waters,et al.  Compact Group Signatures Without Random Oracles , 2006, EUROCRYPT.

[34]  Jan Camenisch,et al.  Signature Schemes and Anonymous Credentials from Bilinear Maps , 2004, CRYPTO.

[35]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..