Machine-generated algorithms, proofs and software for the batch verification of digital signature schemes

As devices everywhere increasingly communicate with each other, many security applications will require low-bandwidth signatures that can be processed quickly. Pairing-based signatures can be very short, but are often costly to verify. Fortunately, they also tend to have efficient batch verification algorithms. Finding these batching algorithms by hand, however, can be tedious and error prone. We address this by presenting AutoBatch, an automated tool for generating batch verification code in either Python or C++ from a high level representation of a signature scheme. AutoBatch outputs both software and, for transparency, a LaTeX file describing the batching algorithm and arguing that it preserves the unforgeability of the original scheme. We tested AutoBatch on over a dozen pairing-based schemes to demonstrate that a computer could find competitive batching solutions in a reasonable amount of time. Indeed, it proved highly competitive. In particular, it found an algorithm that is significantly faster than a batching algorithm from Eurocrypt 2010. Another novel contribution is that it handles cross-scheme batching, where it searches for a common algebraic structure between two distinct schemes and attempts to batch them together. We describe other features and performance details herein. AutoBatch is a useful tool for cryptographic designers and implementors, and to our knowledge, it is the first attempt to outsource to machines the design, proof writing and implementation of signature batch verification schemes.

[1]  Michael Scott,et al.  Designing a Code Generator for Pairing Based Cryptographic Functions , 2010, Pairing.

[2]  Ahmad-Reza Sadeghi,et al.  Sokrates - A Compiler Framework for Zero-Knowledge Protocols , 2005 .

[3]  Xavier Boyen,et al.  Mesh Signatures : How to Leak a Secret with Unwitting and Unwilling Participants , 2007, IACR Cryptol. ePrint Arch..

[4]  Ian Miers,et al.  Charm: a framework for rapidly prototyping cryptosystems , 2013, Journal of Cryptographic Engineering.

[5]  Min-Shiang Hwang,et al.  Cryptanalysis of the Batch Verifying Multiple RSA Digital Signatures , 2000, Informatica.

[6]  Dawn Xiaodong Song,et al.  AGVI - Automatic Generation, Verification, and Implementation of Security Protocols , 2001, CAV.

[7]  Mihir Bellare,et al.  Fast Batch Verification for Modular Exponentiation and Digital Signatures , 1998, IACR Cryptol. ePrint Arch..

[8]  Brent Waters,et al.  Constructing Verifiable Random Functions with Large Input Spaces , 2010, EUROCRYPT.

[9]  Manuel Barbosa,et al.  Compiler Assisted Elliptic Curve Cryptography , 2007, IACR Cryptol. ePrint Arch..

[10]  Chae Hoon Lim,et al.  Security of interactive DSA batch verification , 1994 .

[11]  Brian J. Matt,et al.  Finding Invalid Signatures in Pairing-Based Batches , 2007, IMACC.

[12]  Sung-Ming Yen,et al.  Improved Digital Signature Suitable for Batch Verification , 1995, IEEE Trans. Computers.

[13]  Matthew Green,et al.  Machine-generated algorithms, proofs and software for the batch verification of digital signature schemes , 2014, J. Comput. Secur..

[14]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[15]  Ran Canetti,et al.  Universally composable protocols with relaxed set-up assumptions , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[16]  Michael K. Reiter,et al.  Automatic generation of two-party computations , 2003, CCS '03.

[17]  Jung Hee Cheon,et al.  Batch Verifications with ID-Based Signatures , 2004, ICISC.

[18]  Jan Camenisch,et al.  Batch Verification of Short Signatures , 2007, Journal of Cryptology.

[19]  Hovav Shacham,et al.  Improving SSL Handshake Performance via Batching , 2001, CT-RSA.

[20]  Ahmad-Reza Sadeghi,et al.  TASTY: tool for automating secure two-party computations , 2010, CCS '10.

[21]  Yael Tauman Kalai,et al.  How to Leak a Secret: Theory and Applications of Ring Signatures , 2001, Essays in Memory of Shimon Even.

[22]  L. Harn Batch verifying multiple DSA-type digital signatures , 1998 .

[23]  Jung Hee Cheon,et al.  An Identity-Based Signature from Gap Diffie-Hellman Groups , 2003, Public Key Cryptography.

[24]  Xavier Boyen,et al.  Mesh Signatures , 2007, EUROCRYPT.

[25]  Reihaneh Safavi-Naini,et al.  Efficient Verifiably Encrypted Signature and Partially Blind Signature from Bilinear Pairings , 2003, INDOCRYPT.

[26]  Alptekin Küpçü,et al.  ZKPDL: A Language-Based System for Efficient Zero-Knowledge Proofs and Electronic Cash , 2010, USENIX Security Symposium.

[27]  Brian J. Matt Identification of Multiple Invalid Pairing-Based Signatures in Constrained Batches , 2010, Pairing.

[28]  Stefan Lucks,et al.  Issues on Designing a Cryptographic Compiler , 2005, WEWoRC.

[29]  Hovav Shacham,et al.  Short Group Signatures , 2004, CRYPTO.

[30]  Jan Camenisch,et al.  Signature Schemes and Anonymous Credentials from Bilinear Maps , 2004, CRYPTO.

[31]  David Chaum,et al.  Group Signatures , 1991, EUROCRYPT.

[32]  David M'Raïhi,et al.  Can D.S.A. be Improved? Complexity Trade-Offs with the Digital Signature Standard , 1994, EUROCRYPT.

[33]  David Naccache,et al.  Secure and Practical Identity-based Encryption , 2005 .

[34]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[35]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[36]  Benjamin Grégoire,et al.  Computer-Aided Security Proofs for the Working Cryptographer , 2011, CRYPTO.

[37]  Martin Stanek Attacking LCCC Batch Verification of RSA Signatures , 2008, Int. J. Netw. Secur..

[38]  Florian Hess,et al.  Efficient Identity Based Signature Schemes Based on Pairings , 2002, Selected Areas in Cryptography.

[39]  Gavin Lowe,et al.  Casper: a compiler for the analysis of security protocols , 1997, Proceedings 10th Computer Security Foundations Workshop.

[40]  Cheng-Chi Lee,et al.  Two Simple Batch Verifying Multiple Digital Signatures , 2001, ICICS.

[41]  Sanjit Chatterjee,et al.  HIBE With Short Public Parameters Without Random Oracle , 2006, ASIACRYPT.

[42]  George Danezis,et al.  ZQL: A Compiler for Privacy-Preserving Data Processing , 2013, USENIX Security Symposium.

[43]  Brent Waters,et al.  Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions , 2009, IACR Cryptol. ePrint Arch..

[44]  Michael Backes,et al.  Zero-Knowledge in the Applied Pi-calculus and Automated Verification of the Direct Anonymous Attestation Protocol , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[45]  Matthew Green,et al.  Practical Short Signature Batch Verification , 2009, CT-RSA.

[46]  Gilles Barthe,et al.  Full proof cryptography: verifiable compilation of efficient zero-knowledge protocols , 2012, IACR Cryptol. ePrint Arch..

[47]  Jongmoo Choi,et al.  Efficient Identification of Bad Signatures in RSA-Type Batch Signature , 2006, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[48]  Georg Fuchsbauer,et al.  Batch Groth-Sahai , 2010, ACNS.

[49]  Siu-Ming Yiu,et al.  Efficient Identity Based Ring Signature , 2005, ACNS.

[50]  Amos Fiat,et al.  Batch RSA , 1989, Journal of Cryptology.

[51]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[52]  Ahmad-Reza Sadeghi,et al.  Automatic Generation of Sigma-Protocols , 2009, EuroPKI.

[53]  Kwangjo Kim,et al.  Efficient ID-Based Blind Signature and Proxy Signature from Bilinear Pairings , 2003, ACISP.

[54]  Silvio Micali,et al.  Verifiable random functions , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[55]  Benny Pinkas,et al.  Fairplay - Secure Two-Party Computation System , 2004, USENIX Security Symposium.

[56]  Douglas R. Stinson,et al.  Group Testing and Batch Verification , 2009, ICITS.

[57]  Colin Boyd,et al.  Attacking and Repairing Batch Verification Schemes , 2000, ASIACRYPT.

[58]  Brent Waters,et al.  Realizing Hash-and-Sign Signatures under Standard Assumptions , 2009, EUROCRYPT.

[59]  Brent Waters,et al.  Efficient Identity-Based Encryption Without Random Oracles , 2005, EUROCRYPT.

[60]  Dongdai Lin,et al.  Security Analysis of Some Batch Verifying Signatures from Pairings , 2006, Int. J. Netw. Secur..

[61]  T. Tanaka,et al.  A Security Protocol Compiler Generating C Source Codes , 2008, 2008 International Conference on Information Security and Assurance (isa 2008).

[62]  Lein Harn,et al.  Batch verifying multiple RSA digital signatures , 1998 .

[63]  Brian J. Matt Identification of Multiple Invalid Signatures in Pairing-Based Batched Signatures , 2009, Public Key Cryptography.

[64]  Ahmad-Reza Sadeghi,et al.  A Certifying Compiler for Zero-Knowledge Proofs of Knowledge Based on Sigma-Protocols , 2010, IACR Cryptol. ePrint Arch..

[65]  Luca Durante,et al.  Spi2Java: automatic cryptographic protocol Java code generation from spi calculus , 2004, 18th International Conference on Advanced Information Networking and Applications, 2004. AINA 2004..