Sequential Aggregate Signatures with Lazy Verification from Trapdoor Permutations

Sequential aggregate signature schemes allow n signers, in order, to sign a message each, at a lower total cost than the cost of n individual signatures. We present a sequential aggregate signature scheme based on trapdoor permutations (e.g., RSA). Unlike prior such proposals, our scheme does not require a signer to retrieve the keys of other signers and verify the aggregate-so-far before adding its own signature. Indeed, we do not even require a signer to know the public keys of other signers! Moreover, for applications that require signers to verify the aggregate anyway, our schemes support lazy verification: a signer can add its own signature to an unverified aggregate and forward it along immediately, postponing verification until load permits or the necessary public keys are obtained. This is especially important for applications where signers must access a large, secure, and current cache of public keys in order to verify messages. The price we pay is that our signature grows slightly with the number of signers. We report a technical analysis of our scheme (which is provably secure in the random oracle model), a detailed implementation-level specification, and implementation results based on RSA and OpenSSL. To evaluate the performance of our scheme, we focus on the target application of BGPsec (formerly known as Secure BGP), a protocol designed for securing the global Internet routing system. There is a particular need for lazy verification with BGPsec, since it is run on routers that must process signatures extremely quickly, while being able to access tens of thousands of public keys. We compare our scheme to the algorithms currently proposed for use in BGPsec, and find that our signatures are considerably shorter nonaggregate RSA (with the same sign and verify times) and have an order of magnitude faster verification than nonaggregate ECDSA, although ECDSA has shorter signatures when the number of signers is small

A unified framework for trapdoor-permutation-based sequential aggregate signatures

We give a framework for trapdoor-permutation-based sequential aggregate signatures (SAS) that unifies and simplifies prior work and leads to new results. The framework is based on ideal ciphers over large domains, which have recently been shown to be realizable in the random oracle model. The basic idea is to replace the random oracle in the full-domain-hash signature scheme with an ideal cipher. Each signer in sequence applies the ideal cipher, keyed by the message, to the output of the previous signer, and then inverts the trapdoor permutation on the result. We obtain different variants of the scheme by varying additional keying material in the ideal cipher and making different assumptions on the trapdoor permutation. In particular, we obtain the first scheme with lazy verification and signature size independent of the number of signers that does not rely on bilinear pairings. Since existing proofs that ideal ciphers over large domains can be realized in the random oracle model are lossy, our schemes do not currently permit practical instantiation parameters at a reasonable security level, and thus we view our contribution as mainly conceptual. However, we are optimistic tighter proofs will be found, at least in our specific application.https://eprint.iacr.org/2018/070.pdfAccepted manuscrip

Fault-Tolerance and Deaggregation Security of Aggregate Signatures

Ein zentrales Problem der digitalen Kommunikation ist die Absicherung der Authentizität und Integrität digitaler Dokumente, wie etwa Webseiten, E-Mails oder Programmen. So soll beispielsweise für den Empfänger einer E-Mail nachvollziehbar sein, dass die empfangene E-Mail tatsächlich vom angegebenen Absender stammt (Authentizität) und nicht durch Dritte verändert wurde (Integrität). Digitale Signaturen sind ein Hauptwerkzeug der Kryptographie und IT-Sicherheit, um diese Eigenschaften zu gewährleisten. Hierzu wird vom Absender ein geheimer Schlüssel verwendet, um für das zu sichernde Dokument eine Signatur zu erstellen, die mithilfe eines öffentlich bekannten Verifikationsschlüssels jederzeit überprüft werden kann. Die Sicherheitseigenschaften solcher digitaler Signaturverfahren garantieren sowohl, dass jede Änderung am Dokument dazu führt, dass diese Überprüfung fehlschlägt, als auch dass eine Fälschung einer Signatur praktisch unmöglich ist, d.h. ohne den geheimen Schlüssel kann keine gültige Signatur berechnet werden. Somit kann bei einer erfolgreichen Verifikation davon ausgegangen werden, dass das Dokument tatsächlich vom angegebenen Absender erstellt und seit der Berechnung der Signatur nicht verändert wurde, da nur der Absender über den geheimen Schlüssel verfügt. Aggregierbare Signaturen bieten zusätzlich die Möglichkeit Signaturen mehrerer Dokumente zu einer einzigen Signatur zusammenzuführen bzw. zu aggregieren. Diese Aggregation ist dabei jederzeit möglich. Eine aggregierte Signatur bezeugt weiterhin sicher die Integrität und Authentizität aller ursprünglichen Dokumente, benötigt dabei aber nur so viel Speicherplatz wie eine einzelne Signatur. Außerdem ist die Verifikation einer solchen aggregierten Signatur üblichrweise schneller möglich als die sukzessive Überprüfung aller Einzelsignaturen. Somit kann die Verwendung eines aggregierbaren Signaturverfahrens anstelle eines gewöhnlichen Verfahrens zu erheblichen Verbesserungen der Performanz und des Speicherverbrauchs bei Anwendungen von Signaturen führen. In dieser Dissertation werden zwei zusätzliche Eigenschaften von aggregierbaren Signaturverfahren namens Fehlertoleranz und Deaggregationssicherheit untersucht. Fehlertoleranz bietet eine Absicherung des Verfahrens gegen fehlerhafte Signier- und Aggregationsvorgänge und Deaggregationssicherheit schützt vor ungewollten Löschungen. Beide Eigenschaften werden im Folgenden erläutert. Fehlertoleranz: Durch System- und Programmfehler, sowie inkorrektes oder auch bösartiges Nutzerverhalten ist es möglich, dass fehlerhafte Einzelsignaturen zu einer bestehenden aggregierten Signatur hinzugefügt werden. Alle bisherige aggregierbaren Signaturverfahren haben jedoch den Nachteil, dass bereits das Aggregieren einer einzigen fehlerhaften Einzelsignatur dazu führt, dass auch die aggregierte Signatur fehlerhaft und somit unbrauchbar wird. Die aggregierte Signatur kann danach nicht mehr korrekt verifiziert werden. Insbesondere kann aus ihr nun keinerlei Aussage mehr über die Integrität und Authentizität der Dokumente abgeleitet werden, die vor dem Hinzufügen der fehlerhaften Einzelsignatur korrekt signiert wurden. Dies hat zur Folge, dass alle gegebenen Sicherheitsgarantien verloren gehen und es wird ein aufwändiges Neusignieren aller Dokumente notwendig, welches unter Umständen und je nach Anwendung nur schwer bis überhaupt nicht möglich ist. In dieser Dissertation wird das erste fehlertolerante aggregierbare Signaturverfahren vorgestellt, bei dem das Hinzufügen einzelner falscher Signaturen bis zu einer gewissen Grenze keine schädlichen Auswirkungen hat. Eine aggregierte Signatur wird erst dann ungültig und unbrauchbar, sobald die Anzahl hinzugefügter fehlerhafter Signaturen diese Grenze überschreitet und behält davor weiterhin seine Gültigkeit für die korrekt signierten Dokumente. Dazu wird ein Verfahren vorgestellt, mit dem jedes beliebige aggregierbare Signaturverfahren in ein fehlertolerantes Verfahren transformiert werden kann. Das zugrundeliegende Verfahren wird dabei nur als Black-Box verwendet und der Schutz gegen Fälschungsangriffe übertragt sich beweisbar und ohne Einschränkung auf das neue fehlertolerante Verfahren. Des Weiteren wird als Anwendung von fehlertoleranten Verfahren gezeigt, wie aus ihnen ein sicheres Log-Verfahren konstruiert werden kann. Deaggregationssicherheit: Erlangt ein Angreifer Zugriff auf eine aggregierte Signatur für einen bestimmten Datensatz, so sollte es ihm nicht möglich sein aus diesem Aggregat eine gültige Signatur für einen Teil der geschützten Dokumente abzuleiten, indem er einzelne Signaturen entfernt oder deaggregiert. Solche Angriffe können für viele Anwendungsfälle problematisch sein, da so Signaturen für Mengen von Dokumenten berechnet werden könnten, die nicht von den eigentlichen Erstellern beabsichtigt waren und nie von ihnen selbst signiert wurden. Wird ein aggregierbares Signaturverfahren etwa verwendet um eine Datenbank abzusichern, so sollte es Angreifern nicht möglich sein einzelne Einträge daraus zu entfernen. In dieser Dissertation werden mehrere Deaggregationssicherheitsbegriffe entwickelt, vorgestellt und untersucht. Dazu wird eine Hierarchie von verschieden starken Sicherheitsbegriffen entwickelt und die Zusammenhänge zwischen den einzelnen Begriffen werden formal untersucht. Dabei wird auch gezeigt, dass der von aggregierbaren Signaturverfahren garantierte Schutz gegen Fälschungen keinerlei Sicherheit gegen Deaggregationsangriffe gewährleistet. Des Weiteren wird die Deaggregationssicherheit einer Reihe von bekannten und wichtigen aggregierbaren Signaturverfahren näher betrachtet. Die von diesen Verfahren gebotene Sicherheit wird exakt klassifiziert, indem entweder Angriffsmöglichkeiten demonstriert werden oder formal bewiesen wird, welcher Sicherheitsbegriff der Hierarchie vom Verfahren erfüllt wird. Außerdem wird die Verbindung von Fehlertoleranz und Deaggregationssicherheit untersucht. Dabei stellt sich heraus, dass beide Begriffe nicht zueinander kompatibel sind, indem bewiesen wird, dass fehlertolerante aggregierbare Signaturverfahren keinerlei Sicherheit gegen Deaggregationsangriffe bieten können. Somit muss bei Anwendungen von aggregierbaren Verfahren genau abgewogen werden, welche der beiden Eigenschaften notwendig ist und ob zusätzliche Sicherheitsmaßnahmen angewendet werden müssen, um dieses Problem für die konkrete Anwendung zu beheben

Sequential Half-Aggregation of Lattice-Based Signatures

With Dilithium and Falcon, NIST selected two lattice-based signature schemes during their post-quantum standardization project. Whereas Dilithium follows the Fiat-Shamir with Aborts (Lyubashevsky, Asiacrypt\u2709) blueprint, Falcon can be seen as an optimized version of the GPV-paradigm (Gentry et al., STOC\u2706). An important question now is whether those signatures allow additional features such as the aggregation of distinct signatures. One example are sequential aggregate signature (SAS) schemes (Boneh et al., Eurocrypt\u2704) which allow a group of signers to sequentially combine signatures on distinct messages in a compressed manner. The present work first reviews the state of the art of (sequentially) aggregating lattice-based signatures, points out the insecurity of one of the existing Falcon-based SAS (Wang and Wu, PROVSEC\u2719), and proposes a fix for it. We then construct the first Fiat-Shamir with Aborts based SAS by generalizing existing techniques from the discrete-log setting (Chen and Zhao, ESORICS\u2722) to the lattice framework. Going from the pre-quantum to the post-quantum world, however, does most often come with efficiency penalties. In our work, we also meet obstacles that seem inherent to lattice-based signatures, making the resulting scheme less efficient than what one would hope for. As a result, we only achieve quite small compression rates. We compare our construction with existing lattice-based SAS which all follow the GPV-paradigm. The bottom line is that none of the schemes achieves a good compression rate so far

LCPR: High Performance Compression Algorithm for Lattice-Based Signatures

Many lattice-based signature schemes have been proposed in recent years. However, all of them suffer from huge signature sizes as compared to their classical counterparts. We present a novel and generic construction of a lossless compression algorithm for Schnorr-like signatures utilizing publicly accessible randomness. Conceptually, exploiting public randomness in order to reduce the signature size has never been considered in cryptographic applications. We illustrate the applicability of our compression algorithm using the example of a current state-of-the-art signature scheme due to Gentry et al. (GPV scheme) instantiated with the efficient trapdoor construction from Micciancio and Peikert. This scheme benefits from increasing the main security parameter $n$, which is positively correlated with the compression rate measuring the amount of storage savings. For instance, GPV signatures admit improvement factors of approximately $\lg n$ implying compression rates of about $65$\% at a security level of about 100 bits without suffering loss of information or decrease in security, meaning that the original signature can always be recovered from its compressed state. As a further result, we propose a multi-signer compression strategy in case more than one signer agree to share the same source of public randomness. Such a strategy of bundling compressed signatures together to an aggregate has many advantages over the single signer approach

Forward-Secure Multi-Signatures

Multi-signatures allow a group of signers to jointly sign a message in a compact and efficiently verifiable signature, ideally independent of the number of signers in the group. We present the first provably secure forward-secure multi-signature scheme by deriving a forward-secure signature scheme from the hierarchical identity-based encryption of Boneh, Boyen, and Goh (Eurocrypt 2005) and showing how the signatures in that scheme can be securely composed. Multi-signatures in our scheme contain just two group elements (one from each of the base groups) and require one exponentation and three pairing computations to verify

Research Philosophy of Modern Cryptography

Proposing novel cryptography schemes (e.g., encryption, signatures, and protocols) is one of the main research goals in modern cryptography. In this paper, based on more than 800 research papers since 1976 that we have surveyed, we introduce the research philosophy of cryptography behind these papers. We use ``benefits and ``novelty as the keywords to introduce the research philosophy of proposing new schemes, assuming that there is already one scheme proposed for a cryptography notion. Next, we introduce how benefits were explored in the literature and we have categorized the methodology into 3 ways for benefits, 6 types of benefits, and 17 benefit areas. As examples, we introduce 40 research strategies within these benefit areas that were invented in the literature. The introduced research strategies have covered most cryptography schemes published in top-tier cryptography conferences

On the Design and Improvement of Lattice-based Cryptosystems

Digital signatures and encryption schemes constitute arguably an integral part of cryptographic schemes with the goal to meet the security needs of present and future private and business applications. However, almost all public key cryptosystems applied in practice are put at risk due to its vulnerability to quantum attacks as a result of Shor's quantum algorithm. The magnitude of economic and social impact is tremendous inherently asking for alternatives replacing classical schemes in case large-scale quantum computers are built. Lattice-based cryptography emerged as a powerful candidate attracting lots of attention not only due to its conjectured resistance against quantum attacks, but also because of its unique security guarantee to provide worst-case hardness of average-case instances. Hence, the requirement of imposing further assumptions on the hardness of randomly chosen instances disappears, resulting in more efficient instantiations of cryptographic schemes. The best known lattice attack algorithms run in exponential time. In this thesis we contribute to a smooth transition into a world with practically efficient lattice-based cryptographic schemes. This is indeed accomplished by designing new algorithms and cryptographic schemes as well as improving existing ones. Our contributions are threefold. First, we construct new encryption schemes that fully exploit the error term in LWE instances. To this end, we introduce a novel computational problem that we call Augmented LWE (A-LWE), differing from the original LWE problem only in the way the error term is produced. In fact, we embed arbitrary data into the error term without changing the target distributions. Following this, we prove that A-LWE instances are indistinguishable from LWE samples. This allows to build powerful encryption schemes on top of the A-LWE problem that are simple in its representations and efficient in practice while encrypting huge amounts of data realizing message expansion factors close to 1. This improves, to our knowledge, upon all existing encryption schemes. Due to the versatility of the error term, we further add various security features such as CCA and RCCA security or even plug lattice-based signatures into parts of the error term, thus providing an additional mechanism to authenticate encrypted data. Based on the methodology to embed arbitrary data into the error term while keeping the target distributions, we realize a novel CDT-like discrete Gaussian sampler that beats the best known samplers such as Knuth-Yao or the standard CDT sampler in terms of running time. At run time the table size amounting to 44 elements is constant for every discrete Gaussian parameter and the total space requirements are exactly as large as for the standard CDT sampler. Further results include a very efficient inversion algorithm for ring elements in special classes of cyclotomic rings. In fact, by use of the NTT it is possible to efficiently check for invertibility and deduce a representation of the corresponding unit group. Moreover, we generalize the LWE inversion algorithm for the trapdoor candidate of Micciancio and Peikert from power of two moduli to arbitrary composed integers using a different approach. In the second part of this thesis, we present an efficient trapdoor construction for ideal lattices and an associated description of the GPV signature scheme. Furthermore, we improve the signing step using a different representation of the involved perturbation matrix leading to enhanced memory usage and running times. Subsequently, we introduce an advanced compression algorithm for GPV signatures, which previously suffered from huge signature sizes as a result of the construction or due to the requirement of the security proof. We circumvent this problem by introducing the notion of public and secret randomness for signatures. In particular, we generate the public portion of a signature from a short uniform random seed without violating the previous conditions. This concept is subsequently transferred to the multi-signer setting which increases the efficiency of the compression scheme in presence of multiple signers. Finally in this part, we propose the first lattice-based sequential aggregate signature scheme that enables a group of signers to sequentially generate an aggregate signature of reduced storage size such that the verifier is still able to check that each signer indeed signed a message. This approach is realized based on lattice-based trapdoor functions and has many application areas such as wireless sensor networks. In the final part of this thesis, we extend the theoretical foundations of lattices and propose new representations of lattice problems by use of Cauchy integrals. Considering lattice points as simple poles of some complex functions allows to operate on lattice points via Cauchy integrals and its generalizations. For instance, we can deduce for the one-dimensional and two-dimensional case simple expressions for the number of lattice points inside a domain using trigonometric or elliptic functions

Fault-Tolerant Aggregate Signatures

Aggregate signature schemes allow for the creation of a short aggregate of multiple signatures. This feature leads to significant reductions of bandwidth and storage space in sensor networks, secure routing protocols, certificate chains, software authentication, and secure logging mechanisms. Unfortunately, in all prior schemes, adding a single invalid signature to a valid aggregate renders the whole aggregate invalid. Verifying such an invalid aggregate provides no information on the validity of any individual signature. Hence, adding a single faulty signature destroys the proof of integrity and authenticity for a possibly large amount of data. This is largely impractical in a range of scenarios, e.g. secure logging, where a single tampered log entry would render the aggregate signature of all log entries invalid. In this paper, we introduce the notion of fault-tolerant aggregate signature schemes. In such a scheme, the verification algorithm is able to determine the subset of all messages belonging to an aggregate that were signed correctly, provided that the number of aggregated faulty signatures does not exceed a certain bound. We give a generic construction of fault-tolerant aggregate signatures from ordinary aggregate signatures based on cover-free families. A signature in our scheme is a small vector of aggregated signatures of the underlying scheme. Our scheme is bounded, i.e. the number of signatures that can be aggregated into one signature must be fixed in advance. However the length of an aggregate signature is logarithmic in this number. We also present an unbounded construction, where the size of the aggregate signature grows linearly in the number of aggregated messages, but the factor in this linear function can be made arbitrarily small. The additional information encoded in our signatures can also be used to speed up verification (compared to ordinary aggregate signatures) in cases where one is only interested in verifying the validity of a single message in an aggregate, a feature beyond fault-tolerance that might be of independent interest. For concreteness, we give an instantiation using a suitable cover-free family