Generic Multi-Signer Compression Strategy

7. Compression Scheme for Signatures

7. Compression Scheme for Signatures

it is reasonable to tailor the definition of aggregate signatures to our multi-signer compression scheme.

Definition 7.9 (Multi-Signer Compression Scheme (MSC)). In a multi-signer compression schemel signatureszi onlmessages msg_i fromldistinct signers are combined into a signature z_{M SC} for 1≤i≤l such that the resulting aggregate signature z_{M SC} is significantly smaller than the total size of all individual signa-tures (compression property). Moreover, each individual standard signature zi can efficiently be recovered from z_{M SC} (uncompression property).

The generic construction of our multi-signer compression scheme (MSC) from public randomnessr involves 5 algorithms.

KeyGen(1ⁿ, i with 1 ≤ i ≤ l): Outputs secret key sk_i and public key pk_i to signeri.

SeedGen(1ⁿ): Outputs a centroid generating seedr∈ {0,1}^µ

Sign(sk_i,r∈ {0,1}^µ,msg_i): Outputs a message msg_i of signer iand an individual signaturez⁰_i =z−zi compressed with respect tozthat is generated by means of the random seedr.

Bundle(# »

pk,#»z,r,msg): Outputs the aggregate signature# » zM SC as a bundle of l compressed signatures including the seed r.

Verify(# »

pk,zM SC,r,msg): Verifies the aggregate signature# » zM SC with the aid of the public keys # »

pk = (pk₁, . . . ,pk_l), the centroid generating seed r and messages

# »

msg = (msg₁, . . .msg_l). For each valid signature in the bundle z_{M SC} set the corresponding entry to 1, otherwise set 0. Output out.

As already observed, the generic compression algorithms from Section 7.2 natu-rally induce multi-signer compression schemes, since all parties are allowed to con-sume the same source of public randomness as per Theorem 7.3. We hereby present a generic approach towards constructing a multi-signer compression scheme that is more efficient than the single-signer approach. The security of the scheme inherently stems from Theorem 7.4.

Theorem 7.10 (Security). Let r∈ {0,1}^µ be sampled uniformly at random. Then, the bundle of compressed signatures (aggregate signature) in Algorithm 7.4 is secure assuming the hardness to break uncompressed signatures.

Proof. As per assumptionr is uniform random. Since each compressed signature is recovered and subsequently verified independently from the remaining ones in the bundle, we can directly apply Theorem 7.4.

7. Compression Scheme for Signatures

Algorithm 8: AS Scheme: AggSign

Data: Distribution of signaturesZ, seedr∈ {0,1}^µ

1 fori= 1to ldo

2 \\ i-th Signer

3 Samplez← Z using input seedr

4 Setb= max

s,c kf_s(c)k_∞

5 SetC=z+ [−b, b]^m, P[C] :=Py∼Y(y∈C)

6 fori= 1→ldo

7 Sample yi← Y(x)/P[C ], x∈C

8 zi=fsi(ci) +yi

9 end

10 end

11 Output (r, z−z1, . . . , z−zl), msg# »

Algorithm 9: Verification: AggVerify

Data: Aggregate signature (r, z⁰₁, . . . , z⁰_l) with z⁰_i=z−zi, messagesmsg# »

1 Samplez← Z using input seedr

2 fori= 1to ldo

3 zi=z−z⁰_i \\uncompressed signatures

4 if Verify(zi,msg_i) == 1then

5 outi:= 1

6 else

7 outi:= 0

8 end

9 end

10 Outputout

Figure 7.4.: Aggregate Signature Scheme

Indeed, the above described multi-signer compression scheme allows the verifier to recover all individual signatures from zM SC. The centroid associated to rconnects all the individual signatures together. Furthermore, if the seed is made a shared se-cret, the aggregate signature can only be recovered and verified by the holders ofr.

Such schemes are interesting within the context of wireless sensor networks, because WSNs are characterized by constrained ressources such that one observes an inher-ent need for data compression schemes reducing the amount of traffic. Therefore, we consider cluster-based sensor networks in Section 7.6 as a potential application scenario for our scheme.

7. Compression Scheme for Signatures

7.5.2. Multi-Signer Compression Scheme in the GPV Setting

A usable and practical way of instantiating the scheme requires the participating signers to agree on a random string in advance. This is attained, for example, if each signer samples a random saltri and broadcasts it to the remaining parties in order to produce the ultimate seed r=H(r₁, . . . ,r_l) using a cryptographic hash function modeled as random oracle. Each signer maintains a counter that is increased for every compression request. This counter is appended to r and serves as input to a second hash function, whose output sequence is used to sample the centroid in order to compress GPV signatures. At this point we have to explain how to sample continuous Gaussians in the case when the signers’ parameters ni and ki differ.

Our goal is to keep the scheme as efficient as with constant parameters. The compu-tation complexity and the number of transmitted seeds should not change. There-fore, one starts by defining the maximum Gaussian parameters= max

i si, the maxi-mum dimension N = max

i ni and the maximum number of entries M = max

i n_ik_i with s_i, n_i, k_i and m_i = n_i ·k_i denoting the parameters of the i−th signer. Accordingly, we define b_i = s²_i −5a² and B = s² −5a² ≥ b_i. Fol-lowing Theorem 7.7 and Theorem 7.2 each signer samples a continuous Gausssan from a set of proper width. This can be achieved by sampling d_i ←_R D^m₁ⁱ, d_i ∈ Ci = [^z√(3)

B −^4.7·

√5a

√bi ,^z√(3)

B +^4.7·

√5a

√

bi ]^mi, where z⁽³⁾ is a discrete Gaussian vector with parameter s and a =

q

ln 2n 1 +¹

/π. The choice of s implies C ⊆ Ci for C= ^z√(3)

B + [−^4.7·

√5a

√

B ,^4.7·

√5a

√

B ] and thus provides the required interval width.

Due to differing parameters, the number of signature entries varies among the sign-ers such that m_i ≤m. For this reason, one takes as many entries as required from z⁽³⁾ starting from the first component ofz⁽³⁾. Since each signer operates with dif-ferent parametersbi and si when sampling signatures, we have to derive individual centroidsw_i fromz⁽³⁾ efficiently. The most reasonable way of doing this requires to setw_i =d^z√(3)

B·√

b_ic, which can be computed efficiently from public parameters, for signer i such that its difference to the center of the scaled sets √

b_i ·C_i is smaller than 0.5 in each entry. As a result, we still have logkw_i−z⁽³⁾_i k∞≤7 except with negligible probability. In case we have bi = B for all i, wi = z⁽³⁾ is obtained as the centroid for all signers. In Figure 7.5 we provide the main steps. Here D^M

Z,s(t) denotes the discrete Gaussian sampler simulating signatures with parameters, input seed t.

7. Compression Scheme for Signatures

Algorithm 10:MS Compression: MCSign Data: Seedr, parameterss_i, n_i, k_i, B, M, N, s

1 ctr=j \\counter

2 t←H(r, ctr) \\actual seed

3 z← D^M_Z,s(t) \\centroid usingt

4 fori= 1→ldo

5 \\Compression

6 Setm=ni·ki, n=ni, b=bi andA=Ai 7 wi=d^√z

B·√

bc \\modified centroid

8 DefineCi= [^√z

B−^4.7·

√

√ 5a b ,^√z

B+^4.7·

√

√ 5a b ]^m

9 \\Signing

10 d1← D²ⁿ₁ ,d2← D₁^m ∧ d2∈Ci 11 zi= (z⁽¹⁾_i ,z⁽²⁾_i ,z⁽³⁾_i )←f_A⁻¹(H(msg_i))

12 yi= (z⁽²⁾_i ,wi−z⁽³⁾_i ), (Lemma 7.8, Theorem 7.7)

13 end

14 OutputAggregate (ctr,y1, . . . ,yl) Algorithm 11:Verification: MCVerify

Data: Seedr, (ctr,y1, . . . ,yl), parameterssi, ni, ki, B, M, N, S

1 t←H(r, ctr) \\actual seed

2 z← D^M_Z,S(t) \\centroid

3 fori= 1→ldo

4 \\Uncompression

5 Setm=ni·ki, n=ni, b=bi andA=Ai 6 wi=d^√z

B·√

bc \\modified centroids

7 yi= (z⁽²⁾_i ,wi−z⁽³⁾_i ), zi= (z⁽¹⁾_i ,z⁽²⁾_i ,z⁽³⁾_i )

8 end

9 z= (z₁, . . . ,z_l) \\uncompressed signatures

10 out= (0, . . . ,0)

11 fori= 1→ldo

12 \\Verification

13 if fAi(zi) =H(msg_i)∧ kzik< s_i√

mi then

14 outi= 1, ziis valid

15 end

16 end

17 Output out

Figure 7.5.: Multi-Signer Compression Scheme in the GPV Setting

7. Compression Scheme for Signatures

7.6. Application Scenario - Cluster-based Aggregation in

Im Dokument On the Design and Improvement of Lattice-based Cryptosystems (Seite 158-163)