Better than BiBa: Short Onetime Signatures with Fast Signing and Verifying - PowerPoint PPT Presentation

1 / 15
About This Presentation
Title:

Better than BiBa: Short Onetime Signatures with Fast Signing and Verifying

Description:

Create a more efficient one-time signature scheme than Biba. Computer ... Use one-way function f to compute where vn = f (sn) Public Key = (k, v1, ..., vt) ... – PowerPoint PPT presentation

Number of Views:76
Avg rating:3.0/5.0
Slides: 16
Provided by: discover
Category:

less

Transcript and Presenter's Notes

Title: Better than BiBa: Short Onetime Signatures with Fast Signing and Verifying


1
Better than BiBaShort One-time Signatures with
Fast Signing and Verifying
Computer Science
  • Leonid Reyzin and Natan Reyzin
  • April 30th, 2002
  • Presented by Michael Lee

2
Introduction
  • Problem
  • One-time signature schemes used in broadcast
    authentication
  • Needs to have
  • efficient signing
  • efficient verifying
  • small public key size
  • small signature size
  • Goal
  • Create a more efficient one-time signature scheme
    than Biba

2
Computer Science
3
Previous Work
  • Lamport/Rabin
  • One-time signature schemes based on one-way
    functions
  • Biba
  • Created efficient one-time signature scheme for
    use with broadcast authentication
  • Benefits
  • Fast verification of signatures
  • Small communication overhead
  • Disadvantages
  • Time to sign a message

3
Computer Science
4
Overview
  • One-time signature scheme (HORS) which
  • verifies slightly faster than Biba
  • signs faster than verifying (much faster than
    Biba)
  • key and signature sizes are slightly improved for
    same security level compared to Biba
  • Can be used r times instead of just once
  • necessary for Biba stream authentication scheme
  • Can be used in the Biba stream authentication
    scheme without modification

4
Computer Science
5
HORS Hash to Obtain Random Subset
  • Pick k and t
  • k is linear to public key size
  • t is linear to signature size and verification
    time
  • T set 1,2,...,t
  • f one-way function

5
Computer Science
6
HORS Hash to Obtain Random Subset
  • H hash function resulting in at most a
    k-element subset of T (picked from an random
    family of hash functions)
  • Infeasible that two messages result in same
    subset (strong collision resistance property of
    hash functions)
  • SHA-1 should work for small values of r
  • SHA-1 output split into k substrings of length
    log2 t each.
  • k 16 t 210 (160 16 10)
  • k 20 t 28 (160 20 8)

SHA-1 output
k1
k2
k3
k4
k5
k6
k7
k8
k9
k10
k11
k12
k13
k14
k15
k16
6
Computer Science
7
Key Generation
  • Secret Key
  • Generate t random l-bit strings (s1, ..., st)
  • Secret Key (k, s1, ..., st)
  • Public Key
  • Use one-way function f to compute where vn f
    (sn)
  • Public Key (k, v1, ..., vt)

7
Computer Science
8
Sign
  • h H(m)
  • Split h into k substrings hi, ...hk of length
    log2 t
  • Interpret hj as integer ij for 1 j k
  • Signature
  • Ex
  • h1 50, then the first value in signature will
    be s50

SHA-1 output
h1
h2
h3
h4
h5
h6
h7
h8
h9
h10
h11
h12
h13
h14
h15
h16
8
Computer Science
9
Verify
  • Signature (s1, ..., sk)
  • h H(m)
  • Split h into k substrings hi, ...hk of length
    log2 t
  • Interpert hj as integer ij for 1 j k
  • Verify for all j where 1 j k
  • Accept signature if true for all j
  • Reject signature if false for any j
  • Ex
  • f (s1) 1074 v50

9
Computer Science
10
Security Analysis
  • HORS signatures can be compromised
  • when the one-way property of f or H has been
    broken.
  • if the attacker can cache enough signatures to
    forge a new signature

10
Computer Science
11
Biba Comparison
  • Sign Calls to Random Oracle/Hash Function
  • Biba 2t
  • HORS 1
  • Verify Calls to one-way function f
  • Biba k
  • HORS k
  • Verify Calls to Random Oracle/Hash Function
  • Biba k
  • HORS 1

11
Computer Science
12
Biba Comparison (cont.)
  • r-non-adaptive message attack
  • HORS can use slightly smaller t and k and get the
    same security than Biba
  • Alternatively, HORS can achieve more security
    using the same t and k
  • Adaptive message attack
  • Biba is more secure

12
Computer Science
13
Conclusion
  • HORS is more efficient than Biba
  • Both signing and verifying a message takes less
    time
  • HORS security is comparable to Biba
  • HORS signatures are secure if less than r
    signatures are made with the same secret key
  • HORS security is better in the case of a
    r-non-adaptive message attack

13
Computer Science
14
Future Work
  • More comparisons against Biba
  • Specifically, on adaptive message attacks
  • Determine the security of using different hash
    functions (H).
  • Determine what is a secure r when using SHA-1
  • Incorporate into Biba's stream authentication
    scheme

14
Computer Science
15
Questions?
Computer Science
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Better than BiBa: Short Onetime Signatures with Fast Signing and Verifying" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!