The Power of Proofs-of-Possession: Securing Multiparty Signatures against Rogue-Key Attacks

Ristenpart, Thomas; Yilek, Scott

doi:10.1007/978-3-540-72540-4_13

Cited by 108 publications

(67 citation statements)

References 37 publications

(75 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In our MS scheme, an adversary should prove that he knows the private key of other signer by using a zero-knowledge proof system. Ristenpart and Yilek showed that some MS schemes can be proven in the proof of possession (POP) setting instead of the POK setting [22]. Our MS scheme also can be proven in the POP setting by using their technique.…”

Section: Discussionmentioning

confidence: 94%

Sequential Aggregate Signatures Made Shorter

Lee

Yung

2013

Applied Cryptography and Network Security

View full text Add to dashboard Cite

Sequential aggregate signature (SAS) is a special type of public-key signature that allows a signer to add his signature into a previous aggregate signature in sequential order. In this case, since many public keys are used and many signatures are employed and compressed, it is important to reduce the sizes of signatures and public keys. Recently, Lee, Lee, and Yung (PKC 2013) proposed an efficient SAS scheme with short public keys and proved its security without random oracles under static assumptions. In this paper, we propose an improved SAS scheme that has a shorter signature size compared with that of Lee et al.'s SAS scheme. Our SAS scheme is also secure without random oracles under static assumptions. To achieve the improvement, we devise a new public-key signature scheme that supports multi-users and public re-randomization. Compared with the SAS scheme of Lee et al., our SAS scheme employs new techniques which allow us to reduce the size of signatures by increasing the size of the public keys (obviously, since signature compression is at the heart of aggregate signature this is a further step in understanding the aggregation capability of such schemes).

show abstract

Section: Discussionmentioning

confidence: 94%

Sequential Aggregate Signatures Made Shorter

Lee

Yung

2013

Applied Cryptography and Network Security

View full text Add to dashboard Cite

show abstract

“…[1,41]). The security of such constructions seems to be difficult to formally assess [40]. protocol.…”

Section: Security Modelmentioning

confidence: 99%

“…However, even these basic tests of private key ownership are not mentioned in industry guidelines issued by the CA/Browser Forum [12,13]. Furthermore, these procedures all fall short of the proofs of knowledge [40] required to match what is assumed in typical AKE models. Thus, an attacker may be able to register another party's public key under his own identifier, or register a malformed key which then interacts with properly generated keys in an unfortunate way.…”

Section: Introductionmentioning

confidence: 99%

ASICS: authenticated key exchange security incorporating certification systems

Boyd

Cremers

Feltz³

et al. 2016

Int. J. Inf. Secur.

View full text Add to dashboard Cite

Abstract. Most security models for authenticated key exchange (AKE) do not explicitly model the associated certification system, which includes the certification authority (CA) and its behaviour. However, there are several well-known and realistic attacks on AKE protocols which exploit various forms of malicious key registration and which therefore lie outside the scope of these models. We provide the first systematic analysis of AKE security incorporating certification systems (ASICS). We define a family of security models that, in addition to allowing different sets of standard AKE adversary queries, also permit the adversary to register arbitrary bitstrings as keys. For this model family we prove generic results that enable the design and verification of protocols that achieve security even if some keys have been produced maliciously. Our approach is applicable to a wide range of models and protocols; as a concrete illustration of its power, we apply it to the CMQV protocol in the natural strengthening of the eCK model to the ASICS setting.

show abstract

“…This conservative approach to modelling is fully appropriate given the great diversity in how CAs operate in the real world. The model can be seen as a natural adaptation of the approach of Shoup [16] for modelling interactive key exchange to the NIKE setting and is analogous to the plain setting studied in [20,21].…”

Section: Definitions Of Security For Non-interactive Key Exchangementioning

confidence: 99%

“…The model for NIKE in [10] is similar to, and presumably inspired by, the early work of Shoup [16] on interactive key exchange, where capturing so-called PKI attacks, also known as rogue-key attacks, was intrinsic to the security modelling. This modelling approach is referred to elsewhere in the literature as the plain setting (see [20,21] and the references therein) or the bare PKI setting [3]. The CKS model is certainly more challenging than settings where proofs of knowledge or proofs of possession of private keys are assumed to be given during registration, or where the adversary must reveal its secret key directly (as with the knowledge of secret key assumption used in [22,23]).…”

Section: Introductionmentioning

confidence: 99%

Non-Interactive Key Exchange

Freire

Hofheinz

Kiltz

et al. 2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Non-interactive key exchange (NIKE) is a fundamental but much-overlooked cryptographic primitive. It appears as a major contribution in the ground-breaking paper of Diffie and Hellman, but NIKE has remained largely unstudied since then. In this paper, we provide different security models for this primitive and explore the relationships between them. We then give constructions for secure NIKE in the Random Oracle Model based on the hardness of factoring and in the standard model based on the hardness of a variant of the decisional Bilinear Diffie Hellman Problem for asymmetric pairings. We also study the relationship between NIKE and public key encryption (PKE), showing that a secure NIKE scheme can be generically converted into an IND-CCA secure PKE scheme. This conversion also illustrates the fundamental nature of NIKE in public key cryptography.

show abstract

The Power of Proofs-of-Possession: Securing Multiparty Signatures against Rogue-Key Attacks

Cited by 108 publications

References 37 publications

Sequential Aggregate Signatures Made Shorter

Sequential Aggregate Signatures Made Shorter

ASICS: authenticated key exchange security incorporating certification systems

Non-Interactive Key Exchange

Contact Info

Product

Resources

About