Propuesta transformadora 2 Manual de servicios de la Oficina de Información y

In this section we show a modification of our universal aggregation of unique signatures construction and proof from Section 4 The primary diffence is that the transformed siganture output will be a bit string as opposed to an RSA-type group element in_ZN. Thus, we are able to prove security without using the RSA assumption (but keeping indistinguishability obfuscation and punctured PRF security assumptions.) The primary tradeoff is that the setup must commit to an a-priori bound, non the number of signatures that can be aggregated. The signature length is independent ofn.

We will now describe ourn-bounded universal signature aggregator (`ver, `vk, `msg, `sig)-UniversalSigAgg.

Let ` and `owf be polynomials such that`(λ) ≥λ. We will use a puncturable PRF F with key space K,

punctured key space Kp, domainX ={0,1}`ver× {0,1}`vk × {0,1}`msg and range Y ={0,1}`, a one-way functionf :{0,1}`<sub>→ {0,1}</sub>`owf _{and an indistinguishability obfuscatoriO. Our scheme consists of the three}

algorithmsUniversalSetup, UniversalAggandUniversalVerify.

UniversalSetup(1λ,1n): UniversalSetup takes as input the security parameterλand a boundnon the num- ber of signatures to be aggregated. It chooses a puncturable PRF key K ← F.setup(1λ) and computes obfuscations of the circuitsTransformK andAggVerifyK defined below. It sets the public parameters to be PP = (iO(TransformK), iO(AggVerifyK)).

TransformK:

Inputs: Verify0∈ {0,1}`ver<sub>, VK</sub>0<sub>∈ {0,1}</sub>`vk_,m0 _{∈ {0,1}}`msg<sub>, σ</sub>0<sub>∈ {0,1}</sub>`sig_.

Constants : K∈ K. if Verify0(VK0, m0, σ0) = 0 then Output⊥. else OutputF(K,Verify0||VK0||m0). end if

AggVerify_K :

Inputs: {(Verify_i,VKi, mi)}ni=1 where (Verifyi,VKi, mi) ∈ {0,1}`ver× {0,1}`vk × {0,1}`msg <sub>for alli≤n,σ</sub> agg∈ {0,1}`. Constants : K∈ K. for alli≤ndo Computesi=F(K,Verifyi||VKi||mi). end for Output 1 if ⊕n i=1si =σagg, 0 otherwise.

UniversalAgg(PP,{(Verify_i,VKi, mi, σi)}ni=1): Let PP = (P1, P2). UniversalAggfirst checks that thentuples

are distinct. If not, it outputs⊥. Else, it computes ti=P1(Verifyi,VKi, mi, σi) for eachi≤n. Ifti=⊥for somei, thenUniversalAggoutputs⊥, else it outputsσagg=⊕iti.

UniversalVerify(PP,{(Verify_i,VKi, mi)}in=1, σagg): Let PP = (P1, P2). UniversalVerify first checks if the n

tuples are distinct. If not, it outputs 0. Else, it outputsP2({(Verifyi, VKi,mi)}ni=1,σagg).

A.1

Proof of security

In this section, we will show that our construction is selectively secure with respect to unique signature schemes.

Theorem A.1. Assuming iO is a secure indistinguishability obfuscator, (F, F.setup, F.puncture, F.eval) is a puncturable PRF and f is an injective one way function, for all (`ver, `vk, `msg, `sig)-length qual-

ified secure unique signature schemes S, the n-bounded universal signature aggregator (`ver, `vk, `msg,

`sig)-UniversalSigAggis selectively secure with respect toS.

Let S = (S.Gen,S.Sign,S.Verify) be a secure (`ver, `vk, `msg, `sig)-length qualified unique signature

scheme, andAtta PPT adversary. AssumeAttsendsqsigning queries during the signing phase. In order to prove this theorem, we will define a sequence of experimentsGame0,. . .,Game4, whereGame0 =Expsel_Att,S.

A.1.1 Sequence of Games

Game 0: This game corresponds to Expsel_Att,S. The adversary Att first sends messagem, and then receives the verification key and public parameters for the aggregator. Next, the adversary makes signing queries, and finally submits the forgery.

1. Att sends messagem.

2. Compute (SK,VK)← S.Gen(1λ_,1n_{). ChooseK←F.setup(1}λ_{) and set PP = (iO(Transform}

K), iO(AggVerifyK)). Send PP, VK toAtt.

3. For each signing queryxi6=m, computeσi← S.Sign(SK, xi) and sendσi toAtt.

4. Att sends forgeryσagg and ntuples {(Verifyi, VKi, mi)}. Att wins if ∃i∗ ∈ [n] such that Verifyi∗ = S.Verify, VKi∗ = VK andm_i∗=m andUniversalVerify( PP,{(Verify_i, VK_i,m_i)},σ_agg) = 1.

Game1: This game is exactly similar to the previous one, except that the programTransformK is replaced byTransform0_K which outputs⊥if the input tuples is (S.Verify,VK, m, σ) whereS.Verify(VK, m, σ) = 1.

1. Att sends messagem.

2. Compute (SK,VK)← S.Gen(1λ_,1n_{). ChooseK←F.setup(1}λ_).

Sety=S.Verify||VK||mand PP = (iO(Transform0_y,K),iO(AggVerify_K)). Send PP, VK toAtt. 3. For each signing queryxi6=m, computeσi← S.Sign(SK, xi) and sendσi toAtt.

4. Att sends forgeryσagg and ntuples {(Verifyi, VKi, mi)}. Att wins if ∃i∗ ∈ [n] such that Verifyi∗ = S.Verify, VKi∗ = VK andm_i∗=m andUniversalVerify( PP,{(Verify_i, VK_i,m_i)},σ_agg) = 1.

Transform0_y,K:

Inputs: Verify0∈ {0,1}`ver<sub>, VK</sub>0<sub>∈ {0,1}</sub>`vk_,m0 _{∈ {0,1}}`msg<sub>, σ</sub>0<sub>∈ {0,1}</sub>`sig_.

Constants : y∈ {0,1}`ver<sub>× {0,1}</sub>`vk_{× {0,1}}`msg_{,K∈ K.}

if Verify0(VK0, m0_{, σ}0_{) = 0 then}

Output⊥.

else if Verify0||VK0||m0=y then Output⊥.

else

OutputF(K,Verify0||VK0||m0). end if

Game 2: This game is similar to the previous one, except that the programsTransform0 andAggVerify are replaced byTransform-1 andAggVerify-1 respectively. Each of these programs uses a PRF key punctured at

y=S.Verify||VK||m.

1. Att sends messagem.

2. Compute (SK,VK)← S.Gen(1λ,1n). ChooseK←F.setup(1λ).

Sety=S.Verify||VK||m. ComputeK{y} ←F.puncture(K, y) andz=F(K, y). Set PP = (iO(Transform-1y,K{y}), iO(AggVerify-1y,K{y},z)) and send PP, VK toAtt. 3. For each signing queryxi6=m, computeσi← S.Sign(SK, xi) and sendσi toAtt.

4. Att sends forgeryσagg and ntuples {(Verifyi, VKi, mi)}. Att wins if ∃i∗ ∈ [n] such that Verifyi∗ = S.Verify, VKi∗ = VK andm_i∗=m andUniversalVerify( PP,{(Verify_i, VK_i,m_i)},σ_agg) = 1.

Transform-1y,K{y}:

Inputs: Verify0∈ {0,1}`ver<sub>, VK</sub>0<sub>∈ {0,1}</sub>`vk_,m0 _{∈ {0,1}}`msg<sub>, σ∈ {0,1}</sub>`sig_.

Constants : y∈ {0,1}`ver<sub>× {0,1}</sub>`vk_{× {0,1}}`msg_{,K{y} ∈ K}

p.

if Verify0(VK0, m0, σ0) = 0 then Output⊥.

else if Verify0||VK0||m0=y then Output⊥.

else

OutputF.eval(K{y},Verify0||VK0||m0). end if

AggVerify-1y,K{y},z:

Inputs: {(Verify_i,VKi, mi)}ni=1 where (Verifyi,VKi, mi) ∈ {0,1}`ver× {0,1}`vk × {0,1}`msg <sub>for alli≤n,σ</sub> agg∈ {0,1}`. Constants : y∈ {0,1}`ver<sub>× {0,1}</sub>`vk_{× {0,1}}lmsg_{,K{y} ∈ K} p,z∈ {0,1}`. for alli≤ndo if Verifyi||VKi||mi=y then si=z else

Computesi=F.eval(K{y},Verifyi||VKi||mi).

end if end for Output 1 if ⊕n

i=1si =σagg, 0 otherwise.

Game 3: In this game, the programAggVerify-1 is replaced byAggVerify-2. As before, a punctured key is used in the program. However, instead of directly checking whetherσagg=⊕si,AggVerify-2 uses a injective one way functionf.

1. Att sends messagem.

2. Compute (SK,VK)← S.Gen(1λ_,1n_{). ChooseK←F.setup(1}λ_).

Sety=S.Verify||VK||m. ComputeK{y} ←F.puncture(K, y) andz=F(K, y).

Computew=f(z), set PP = (iO(Transform-1y,K{y}),iO(AggVerify-2y,K{y},w)) and send PP, VK to Att.

3. For each signing queryxi6=m, computeσi← S.Sign(SK, xi) and sendσi toAtt.

4. Att sends forgeryσagg and ntuples {(Verifyi, VKi, mi)}. Att wins if ∃i∗ ∈ [n] such that Verifyi∗ = S.Verify, VKi∗ = VK andm_i∗=m andAggVerify-2_y,K{y},w({(Verify_i, VK_i,m_i)},σ_agg) = 1.

AggVerify-2y,K{y},w:

Inputs: {(Verify_i,VKi, mi)}ni=1 where (Verifyi,VKi, mi) ∈ {0,1}`ver× {0,1}`vk × {0,1}`msg _{for alli≤n,σ}

agg∈ {0,1}`.

Constants : y∈ {0,1}`ver<sub>× {0,1}</sub>`vk_{× {0,1}}`msg_{,K{y} ∈ K}

p, w∈ {0,1}`owf.

Setpresent=False,pos= 0. for alli≤ndo

if Verifyi||VKi||mi=y then Setpresent=True,pos=i. else

Computesi=F.eval(K{y},Verifyi||VKi||mi).

end if end for

if present=Falsethen Output 1 if⊕n

i=1si=σagg, 0 otherwise.

else

Output 1 iff(σagg⊕i6=possi) =w, 0 otherwise.

end if

Game4: This game is exactly similar to the previous one, except thatzis chosen at random. 1. Att sends messagem.

2. Compute (SK,VK)← S.Gen(1λ,1n). ChooseK←F.setup(1λ).

Sety=S.Verify||VK||m. ComputeK{y} ←F.puncture(K, y) andz← {0,1}`_.

Compute w=f(z), set PP = (iO(Transform-1y,K{y}),iO(AggVerify-2y,K{y},w)) and send PP, VK to Att.

3. For each signing queryxi6=m, computeσi← S.Sign(SK, xi) and sendσi toAtt.

4. Att sends forgeryσagg and ntuples {(Verifyi, VKi, mi)}. Att wins if ∃i∗ ∈ [n] such that Verifyi∗ = S.Verify, VKi∗ = VK andm_i∗=m andAggVerify-2_y,K{y},w({(Verify_i, VK_i,m_i)}_i,σ_agg) = 1.

A.1.2 Analysis

LetAdvj_Attdenote the advantage of adversary AttinGamej.

Claim A.1. AssumingiO is a secure indistinguishability obfuscator andS is a secure (`ver, `vk, `msg, `sig)-

length qualified unique signature scheme, for any PPT adversaryAtt,

Adv0_Att−Adv1_Att≤negl(λ).

Proof. The proof of this claim is similar to the one for Lemma 4.1.

Claim A.2. AssumingiOis a secure indistinguishability obfuscator, for any PPT adversaryAtt,

Adv1Att−Adv 2

Att≤negl(λ).

Proof. In order to prove this claim, we will define an intermediate hybridGame 1.5 which is exactly same as Game1 andGame2, except that the challenger sets PP = (iO(Transform-1y,K{y}), iO(AggVerifyK)). We will show (a) Game1 and Game 1.5 are computationally indistinguishable, (b) Game1.5 and Game2 are computationally indistinguishable.

Proof of (a). Suppose there exists a PPT adversaryAttsuch thatAdv1_Att−Adv1_Att.5=. We will construct a PPT algorithm B that constructs two circuits C0 and C1 with identical functionality, and uses Att to

distinguish betweeniO(C0) andiO(C1), thereby breaking the security ofiO.

BreceivesmfromAtt, chooses (SK,VK)← S.Gen(1λ_{) andK←F.setup(1}λ_{). It setsy=S.Verify||VK||m} and computesK{y} ←F.puncture(K, y). It setsC0=Transform0y,K andC1=Transform-1y,K{y}, and sends

C0, C1to theiOchallenger. It receivesC=iO(Cb). Bsets PP = (C, iO(AggVerifyK)) and sends PP,VK to Att.

Note that B can respond to the signing queries perfectly, since it has SK. Finally, ifAtt wins, then B

outputs 0, else it outputs 1. Clearly, ifC =iO(C0), then it corresponds toGame 1, else it corresponds to

Game1.5.

To conclude, we need to argue that C0 andC1 have identical functionality. This follows from the cor-

rectness property of puncturable PRFs. Note that both programs output ⊥ if one of the input tuples is

(S.Verify,VK, m, σ). For all other tuples (Verify0,VK0, m0, σ0),F(K,Verify0||VK0||m0) =F.eval(K{y},Verify0||VK0||m0). This completes the first step of our proof.

Proof of (b). The second step (showing thatGame1.5 andGame2 are computationally indistinguishable) follows along similar lines.

Claim A.3. AssumingiOis a secure indistinguishability obfuscator andf is an injective function, for any PPT adversaryAtt,

Adv2Att−Adv 3

Att≤negl(λ).

Proof. Suppose there exists a PPT adversaryAttsuch thatAdv2_Att−Adv3_Att=. As in the previous proof, we will construct a PPT algorithmB that constructs two circuits C0 and C1 with identical functionality, and

usesAttto distinguish betweeniO(C0) andiO(C1), thereby breaking the security ofiO.

The only difference between Game2 and Game3 is that in Game2, circuit AggVerify-1y,K{y}.z is used, while in Game 3, circuit AggVerify-2y,K{y},w is used. B interacts with Att and receives m. It chooses

(SK,VK)← S.Gen(1λ) and K ←F.setup(1λ). Next, it computes a key punctured aty =S.Verify||VK||m, i.e. K{y} ←F.puncture(K, y) and setsz=F(K, y) andw=f(z). Giveny, K{y}, z, w,Bcan now construct circuits C0 =AggVerify-1y,K{y},z and C1 =AggVerify-2y,K{y},w. B sends C0 and C1 to theiO challenger,

and receivesC=iO(Cb). Bsets PP =(iO(Transform-1y,K{y}),C) and sends PP,VK toAtt.

Bnow responds to signing queries using SK. FinallyAttsends forgeryσagg, along withntuples{(Verifyi, VKi, mi)}. If C({Verifyi,VKi,mi}, σagg)= 1, output 0, else output 1. Clearly, if C =iO(C0), then this

corresponds toGame2, else it corresponds toGame 3. Therefore, all that remains is to prove thatC0 and

C1have identical functionality.

Consider any input ({(Verify_i, VKi, mi)},σagg). If there is no i∗ such that Verifyi∗||VKi∗||m_i∗ =

y, then both circuits check if σagg=⊕iF(K{y},Verifyi||VKi||mi). If there exists an i∗ ∈ [n] such that Verify_i∗||VKi∗||m_i∗=y, thenC₀ accepts iff

(⊕i6=i∗F(K{y},Verify_i||VK_i||m_i))⊕F(K, y) =σ_agg

⇐⇒ (⊕i6=i∗F(K{y},Verify_i||VK_i||m_i))⊕σ_agg=F(K, y) =z ⇐⇒ f((⊕i6=i∗F(K{y},Verify_i||VK_i||m_i))⊕σ_agg) =f(z) =w.

The last equivalence follows from the fact that f is an injective function. However, note that the last statement is the condition for C1 accepting. This proves that bothC0 andC1 have identical functionality,

which proves our claim.

Claim A.4. AssumingF is a puncturable PRF, for any PPT adversaryAtt,

Adv3Att−Adv 4

Att≤negl(λ).

Proof. Suppose there exists a PPT adversaryAtt such thatAdv3_Att−Adv4_Att =. We will construct a PPT algorithm B that uses Att to break the security of puncturable PRF (F, F.setup, F.puncture, F.eval) with advantage.

First,Breceives the messagemfromAtt. As inGame3 andGame4, it computes (SK,VK)← S.Gen(1λ). Next, it sendsy=S.Verify||VK||mas the challenge to the PRF challenger. Breceives a punctured keyK{y}

and z ∈ {0,1}`<sub>, where z =F(K, y) orz ← {0,1}</sub>`_{. B computesw=f(z) and sets the public parameters} PP=(iO(Transform-1y,K{y}),iO(AggVerify-2y,K{y},w)). It sends PP,VK toAtt.

The signing phase and forgery phase are exactly similar in Game3 andGame4. For each signing query

xi,BsendsS.Sign(SK, xi) toAtt. Finally,Attoutputs the forgery σagg andntuples{(Verifyi, VKi,mi)}. Note that ifz=F(K, y), thenBsimulatesGame3 perfectly. Ifz← {0,1}`_{,BsimulatesGame4 perfectly.} This concludes our proof.

Claim A.5. Assumingf is a one way function, for any PPT adversaryAtt,

Adv4_Att≤negl(λ).

Proof. Suppose there exists a PPT adversaryAtt such thatAdv4_Att=. We will construct a PPT algorithm

Bthat, usingAtt, inverts the one way functionf with probability.

B receivesw from the one way function challenger and mfrom Att. It chooses (SK,VK)← S.Gen(1λ_),

K ←F.setup(1λ) and computes K{y} ←F.puncture(K, y) (where y =S.Verify||VK||m). It sets the public parameters PP=(iO(Transform-1y,K{y}),iO(AggVerify-2y,K{y},w)) and sends PP,VK toAtt.

For each signing queryxi, it computesS.Sign(SK, xi).

Finally,Breceivesσagg∈ {0,1}`andntuples{(Verifyi,VKi, mi)}. IfAggVerify-2y,K{y},w({Verifyi, VKi,

mi},σagg)=1 and ∃i∗ such that Verifyi∗||VKi∗||m_i∗ =y, then B can successfully find an inverse for w. B computessi=F(K,Verifyi||VKi||mi) fori6=i∗ and sendsσagg⊕i6=i∗s_i to the one way function challenger. Clearly, ifAttwins inGame4, thenBinverts the one way function.

To conclude, it follows from the above claims that any PPT adversary has at most negligible advantage in Game 0 (assuming iO, F and f are secure), and therefore then-bounded aggregator described in A is selectively secure with respect to secure unique signature schemes.

In document Sistematización de la experiencia: práctica profesional en la Dirección de Comunicaciones de la Pontificia Universidad Javeriana, durante el periodo mayo agosto de 2017 (página 68-73)