Secure and efficient pairing-based digital signatures

Digital signatures are one of important primitives of public-key cryptography. An ideal signature scheme should be provably secure in the standard model with weak assumption and tight reduction. It should also offer short parameters (e.g. public key, signing key and signature), signing efficiency, and verification efficiency. However, such an ideal signature scheme does not exist due to inherent tradeoffs in signature construction. Bilinear pairing is a popular mathematical tool towards constructing ideal signature schemes. In this thesis, we improve some well-known signature schemes constructed from bilinear pairings in terms of security and/or efficiency. The thesis is composed of the following nine chapters. In Chapter 1, we introduce the evaluation of digital signatures in terms of security model, hard problem, reduction probability, parameter size, signing efficiency and verification efficiency. In Chapter 2, we introduce the background of digital signatures including the definition of digital signatures, the development of bilinear pairings and proposed signature schemes in the literature. In Chapter 3, we improve short signatures with a tighter security reduction without random oracles. The Hofheinz-Kiltz signature scheme [HK08] is the first signature scheme whose signatures are less than 320 bits (80-bit security) in the standard model. However, their security reduction to the q-SDH assumption is loose. We utilize a new programmable hash function to construct short signature scheme such that the security proof has a tighter reduction. Taking security loss into account, for 80-bit security, our stateless signature scheme produces 286-bit signature only compared to 306 bits by [HK08]; our stateful signature scheme offers 207-bit signature only compared to 266 bits by [HK08]. In Chapter 4, we improve Waters signature scheme [Wat05] with a tighter security reduction. The Waters signature scheme is the first provably secure scheme under the CDH assumption in the standard model. However, the security reduction is loose and dependent on the number of signature queries. We tighten the security

[1]  Yi Mu,et al.  A New Signature Scheme Without Random Oracles from Bilinear Pairings , 2006, VIETCRYPT.

[2]  Fuchun Guo,et al.  Optimal Online/Offline Signature: How to Sign a Message without Online Computation , 2008, ProvSec.

[3]  Fuchun Guo,et al.  Improving security of q-SDH based digital signatures , 2011, J. Syst. Softw..

[4]  Tibor Jager,et al.  Short Signatures From Weaker Assumptions , 2011, IACR Cryptol. ePrint Arch..

[5]  Serge Vaudenay,et al.  On Privacy Models for RFID , 2007, ASIACRYPT.

[6]  Shai Halevi,et al.  Secure Hash-and-Sign Signatures Without the Random Oracle , 1999, EUROCRYPT.

[7]  Jonathan Katz,et al.  Chosen-Ciphertext Security from Identity-Based Encryption , 2004, SIAM J. Comput..

[8]  Jan Camenisch,et al.  Batch Verification of Short Signatures , 2007, Journal of Cryptology.

[9]  M. De Soete,et al.  Speeding up smart card RSA computations with insecure coprocessors , 1991 .

[10]  Stefan Dziembowski,et al.  Leakage-Resilient Cryptography , 2008, 2008 49th Annual IEEE Symposium on Foundations of Computer Science.

[11]  Tibor Jager,et al.  Waters Signatures with Optimal Security Reduction , 2012, Public Key Cryptography.

[12]  Moni Naor,et al.  Public-Key Cryptosystems Resilient to Key Leakage , 2009, SIAM J. Comput..

[13]  Xavier Boyen,et al.  The Uber-Assumption Family , 2008, Pairing.

[14]  Pascal Paillier,et al.  Discrete-Log-Based Signatures May Not Be Equivalent to Discrete Log , 2005, ASIACRYPT.

[15]  Shuenn-Yuh Lee,et al.  A Low-Power RFID Integrated Circuits for Intelligent Healthcare Systems , 2010, IEEE Transactions on Information Technology in Biomedicine.

[16]  Fuchun Guo,et al.  A Pre-computable Signature Scheme with Efficient Verification for RFID , 2012, ISPEC.

[17]  Brent Waters,et al.  Realizing Hash-and-Sign Signatures under Standard Assumptions , 2009, EUROCRYPT.

[18]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[19]  Mihir Bellare,et al.  Fast Batch Verification for Modular Exponentiation and Digital Signatures , 1998, IACR Cryptol. ePrint Arch..

[20]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[21]  Mihir Bellare,et al.  Simulation without the Artificial Abort: Simplified Proof and Improved Concrete Security for Waters' IBE Scheme , 2009, EUROCRYPT.

[22]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[23]  Jan Camenisch,et al.  Signature Schemes and Anonymous Credentials from Bilinear Maps , 2004, CRYPTO.

[24]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[25]  Alfred Menezes,et al.  Reducing elliptic curve logarithms to logarithms in a finite field , 1991, STOC '91.

[26]  Fuchun Guo,et al.  Short Signatures with a Tighter Security Reduction Without Random Oracles , 2011, Comput. J..

[27]  W. B. Lee,et al.  Design of a RFID case-based resource management system for warehouse operations , 2005, Expert Syst. Appl..

[28]  Brent Waters,et al.  Efficient Identity-Based Encryption Without Random Oracles , 2005, EUROCRYPT.

[29]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[30]  Ralph C. Merkle,et al.  A Digital Signature Based on a Conventional Encryption Function , 1987, CRYPTO.

[31]  Refik Molva,et al.  Tracker: Security and Privacy for RFID-based Supply Chains , 2010, NDSS.

[32]  Yi Mu,et al.  Efficient Generic On-Line/Off-Line Signatures Without Key Exposure , 2007, ACNS.

[33]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[34]  Hugo Krawczyk,et al.  Chameleon Signatures , 2000, NDSS.

[35]  Y. Mu,et al.  Efficient Batch Verification of Short Signatures for a Single-Signer Setting without Random Oracles , 2008, IWSEC.

[36]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[37]  David Chaum,et al.  An Improved Protocol for Demonstrating Possession of Discrete Logarithms and Some Generalizations , 1987, EUROCRYPT.

[38]  Craig Gentry,et al.  Practical Identity-Based Encryption Without Random Oracles , 2006, EUROCRYPT.

[39]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[40]  Rosario Gennaro,et al.  Off-Line/On-Line Signatures: Theoretical Aspects and Experimental Results , 2008, Public Key Cryptography.

[41]  Alfred Menezes,et al.  The Elliptic Curve Digital Signature Algorithm (ECDSA) , 2001, International Journal of Information Security.

[42]  Jonathan Katz,et al.  Efficiency improvements for signature schemes with tight security reductions , 2003, CCS '03.

[43]  Benoît Chevallier-Mames,et al.  An Efficient CDH-Based Signature Scheme with a Tight Security Reduction , 2005, CRYPTO.

[44]  Marc Girault,et al.  Server-Aided Verification: Theory and Practice , 2005, ASIACRYPT.

[45]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[46]  Stanislaw Jarecki,et al.  A Signature Scheme as Secure as the Diffie-Hellman Problem , 2003, EUROCRYPT.

[47]  Dan Boneh,et al.  Short Signatures Without Random Oracles , 2004, EUROCRYPT.

[48]  Amit Sahai,et al.  Pseudonym Systems , 1999, Selected Areas in Cryptography.

[49]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[50]  Silvio Micali,et al.  Physically Observable Cryptography (Extended Abstract) , 2004, TCC.

[51]  Silvio Micali,et al.  On-Line/Off-Line Digital Schemes , 1989, CRYPTO.

[52]  Ronald L. Rivest,et al.  Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems , 2003, SPC.

[53]  Moon Sung Lee,et al.  Efficient Delegation of Pairing Computation , 2005, IACR Cryptol. ePrint Arch..

[54]  Reihaneh Safavi-Naini,et al.  An Efficient Signature Scheme from Bilinear Pairings and Its Applications , 2004, Public Key Cryptography.

[55]  Dongqing Xie,et al.  Divisible On-Line/Off-Line Signatures , 2009, CT-RSA.

[56]  Brent Waters,et al.  Fully Collusion Resistant Traitor Tracing with Short Ciphertexts and Private Keys , 2006, EUROCRYPT.

[57]  Yael Tauman Kalai,et al.  Improved Online/Offline Signature Schemes , 2001, CRYPTO.

[58]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[59]  Vinod Vaikuntanathan,et al.  Signature Schemes with Bounded Leakage Resilience , 2009, ASIACRYPT.

[60]  Anna Lysyanskaya,et al.  How to Securely Outsource Cryptographic Computations , 2005, TCC.

[61]  Victor S. Miller,et al.  The Weil Pairing, and Its Efficient Calculation , 2004, Journal of Cryptology.

[62]  Guy N. Rothblum,et al.  Leakage-Resilient Signatures , 2010, TCC.

[63]  Jean-Jacques Quisquater,et al.  ElectroMagnetic Analysis (EMA): Measures and Counter-Measures for Smart Cards , 2001, E-smart.

[64]  Victor S. Miller,et al.  Use of Elliptic Curves in Cryptography , 1985, CRYPTO.

[65]  Yi Mu,et al.  Server-Aided Verification Signatures: Definitions and New Constructions , 2008, ProvSec.

[66]  Taher ElGamal,et al.  A public key cyryptosystem and signature scheme based on discrete logarithms , 1985 .

[67]  Michael Scott,et al.  A Taxonomy of Pairing-Friendly Elliptic Curves , 2010, Journal of Cryptology.

[68]  Fuchun Guo,et al.  Identity-Based Online/Offline Encryption , 2008, Financial Cryptography.

[69]  Don Coppersmith,et al.  Fast evaluation of logarithms in fields of characteristic two , 1984, IEEE Trans. Inf. Theory.

[70]  Jonathan Katz Signature Schemes Based on the (Strong) RSA Assumption , 2010 .

[71]  Kenneth G. Paterson,et al.  Efficient Identity-Based Signatures Secure in the Standard Model , 2006, ACISP.

[72]  Ben Lynn,et al.  On the implementation of pairing-based cryptosystems , 2007 .

[73]  David Naccache,et al.  Secure Delegation of Elliptic-Curve Pairing , 2010, IACR Cryptol. ePrint Arch..

[74]  Ari Juels,et al.  Minimalist Cryptography for Low-Cost RFID Tags , 2004, SCN.

[75]  Jacques Stern,et al.  Security Proofs for Signature Schemes , 1996, EUROCRYPT.

[76]  Maire O'Neill,et al.  Low-Cost SHA-1 Hash Function Architecture for RFID Tags , 2008 .

[77]  Amos Fiat,et al.  Batch RSA , 1989, Journal of Cryptology.

[78]  Chae Hoon Lim,et al.  Server (Prover/Signer)-Aided Verification of Identity Proofs and Signatures , 1995, EUROCRYPT.

[79]  Fuchun Guo,et al.  Efficient Online/Offline Signatures with Computational Leakage Resilience in Online Phase , 2010, Inscrypt.

[80]  Don Coppersmith,et al.  Discrete logarithms inGF(p) , 2005, Algorithmica.

[81]  Serge Vaudenay,et al.  Mutual authentication in RFID: security and privacy , 2008, ASIACCS '08.

[82]  Fuchun Guo,et al.  How to Prove Security of a Signature with a Tighter Security Reduction , 2009, ProvSec.

[83]  Norbert Felber,et al.  ECC Is Ready for RFID - A Proof in Silicon , 2008, Selected Areas in Cryptography.

[84]  Sean W. Smith,et al.  Batch Pairing Delegation , 2007, IWSEC.

[85]  Eike Kiltz,et al.  Programmable Hash Functions and Their Applications , 2008, CRYPTO.

[86]  Tanja Lange,et al.  Computing Small Discrete Logarithms Faster , 2012, INDOCRYPT.

[87]  M. Rabin DIGITALIZED SIGNATURES AND PUBLIC-KEY FUNCTIONS AS INTRACTABLE AS FACTORIZATION , 1979 .

[88]  Adi Shamir,et al.  Memory Efficient Variants of Public-Key Schemes for Smart Card Applications , 1994, EUROCRYPT.

[89]  Willy Susilo,et al.  Server-aided signatures verification secure against collusion attack , 2011, ASIACCS '11.

[90]  Jung Hee Cheon,et al.  Security Analysis of the Strong Diffie-Hellman Problem , 2006, EUROCRYPT.

[91]  Dan Boneh,et al.  Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups , 2008, Journal of Cryptology.

[92]  Brent Waters,et al.  Short and Stateless Signatures from the RSA Assumption , 2009, CRYPTO.

[93]  Martin Feldhofer,et al.  A low-resource public-key identification scheme for RFID tags and sensor nodes , 2009, WiSec '09.