formalizing group blind signatures and practical ... · formalizing group blind signatures and...
Post on 26-Aug-2019
225 Views
Preview:
TRANSCRIPT
FORMALIZING GROUP BLIND SIGNATURES AND
PRACTICAL CONSTRUCTIONS WITHOUT
RANDOM ORACLES
Essam Ghadafi
ghadafi@cs.bris.ac.ukUniversity of Bristol
ACISP 2013
FORMALIZING GROUP BLIND SIGNATURES . . .
OUTLINE
1 BACKGROUND
2 SECURITY MODEL
3 BUILDING BLOCKS
4 OUR CONSTRUCTIONS
5 FULL ANONYMITY
6 SUMMARY & OPEN PROBLEMS
FORMALIZING GROUP BLIND SIGNATURES . . .
OUTLINE
1 BACKGROUND
2 SECURITY MODEL
3 BUILDING BLOCKS
4 OUR CONSTRUCTIONS
5 FULL ANONYMITY
6 SUMMARY & OPEN PROBLEMS
FORMALIZING GROUP BLIND SIGNATURES . . .
OUTLINE
1 BACKGROUND
2 SECURITY MODEL
3 BUILDING BLOCKS
4 OUR CONSTRUCTIONS
5 FULL ANONYMITY
6 SUMMARY & OPEN PROBLEMS
FORMALIZING GROUP BLIND SIGNATURES . . .
OUTLINE
1 BACKGROUND
2 SECURITY MODEL
3 BUILDING BLOCKS
4 OUR CONSTRUCTIONS
5 FULL ANONYMITY
6 SUMMARY & OPEN PROBLEMS
FORMALIZING GROUP BLIND SIGNATURES . . .
OUTLINE
1 BACKGROUND
2 SECURITY MODEL
3 BUILDING BLOCKS
4 OUR CONSTRUCTIONS
5 FULL ANONYMITY
6 SUMMARY & OPEN PROBLEMS
FORMALIZING GROUP BLIND SIGNATURES . . .
OUTLINE
1 BACKGROUND
2 SECURITY MODEL
3 BUILDING BLOCKS
4 OUR CONSTRUCTIONS
5 FULL ANONYMITY
6 SUMMARY & OPEN PROBLEMS
FORMALIZING GROUP BLIND SIGNATURES . . .
GROUP BLIND SIGNATURES
Group Signatures [CH91] preserve the anonymity of the signer.
Blind Signatures [Cha83] preserve the privacy of the messageto be signed.
Group Blind Signatures [LZ98] combine properties of theabove and thus preserve both the anonymity of the signer + theprivacy of the message.
FORMALIZING GROUP BLIND SIGNATURES . . . 1
GROUP BLIND SIGNATURES
User
Group
IssuerOpener
gpk
ok ik
FORMALIZING GROUP BLIND SIGNATURES . . . 2
GROUP BLIND SIGNATURES
User
Group
IssuerOpener
gpk
ok ik
FORMALIZING GROUP BLIND SIGNATURES . . . 2
GROUP BLIND SIGNATURES
User
Group
IssuerOpener
gpk
ok ik
Sig
FORMALIZING GROUP BLIND SIGNATURES . . . 2
GROUP BLIND SIGNATURES
User
Group
IssuerOpener
gpk
ok ik
Sig
FORMALIZING GROUP BLIND SIGNATURES . . . 2
HISTORY AND RELATED WORK
The primitive which combines the properties of a blind signature[Cha83] and a group signature [CH91] was introduced byLysyanskaya and Zulfikar [LZ98].
Existing constructions:I Lysyanskaya and Zulfikar, 1998.
Based on Camenisch-Stadler group signatures [CL97].I K. Q. Nguyen, Y. Mu, and V. Varadharajan, 1999.
Uses divertible zero-knowledge proofs [OO90].
FORMALIZING GROUP BLIND SIGNATURES . . . 3
APPLICATIONS OF GROUP BLIND SIGNATURES
Group blind signatures provide bi-directional privacy and are thususeful for applications where such a requirement is needed.
Example applications:
I Distributed e-cash, e.g. [LZ98]: The e-coin reveals neither theidentity of its holder nor that of the issuing bank/branch.
I Other applications include: multi-authority e-voting ande-auction systems.
FORMALIZING GROUP BLIND SIGNATURES . . . 4
OUR CONTRIBUTION
I A formal security model for the primitive.
I A generic construction.
I The first instantiations without random oracles.
I Other useful building blocks and observations.
FORMALIZING GROUP BLIND SIGNATURES . . . 5
SECURITY DEFINITION CHALLENGES
The signing protocol is blind, i.e. the message is not known to thesigner and the signature is not well defined, so:
1 How to define Full Anonymity, i.e. CCA2 Anonymity?⇒ How to identify the challenge signature?
2 How to define non-frameability?
3 How to extend blindness to the group setting?
FORMALIZING GROUP BLIND SIGNATURES . . . 6
SYNTAX OF GROUP BLIND SIGNATURES
A GROUP BLIND SIGNATURE
GKg(1λ): Outputs gpk, ik and ok.
UKg: Outputs a pair of personal secret/public keys(ssk[i], spk[i]) for a signer.
〈Join(gpk, i, ssk[i]), Issue(ik, i, spk[i])〉: If successful, Signeribecomes a member and obtains a group signing key gsk[i].
〈Obtain(gpk,m),Sign(gsk[i])〉: If successful, the user obtains asignature Σ; Otherwise, it outputs ⊥.
GVf(gpk,m,Σ): Verifies if Σ is valid on the message m.
Open(gpk,ok, reg,m,Σ): Returns the identity of the signerplus a proof τ .
Judge(gpk, i, spk[i],m,Σ, τ): Verifies the Opener’s decision.
FORMALIZING GROUP BLIND SIGNATURES . . . 7
SECURITY OF GROUP BLIND SIGNATURES
I Correctness: If all parties are honest, we have that:
Signatures are accepted by the GVf algorithm.The Opener can identify the signer.The Judge algorithm accepts the Opener’s decision.
FORMALIZING GROUP BLIND SIGNATURES . . . 8
SECURITY OF GROUP BLIND SIGNATURES
I Anonymity: Signatures do not reveal who signed them.
Open†Open†
SSKSSK
CrptSCrptS
SndToSSndToS
b*
ModifyRegModifyReg
ModifyRegModifyReg ...
i0, i1Ch
b←{0,1}
Ch
b←{0,1}
gpk,ik
Adversary wins if: b = b∗.
I † Similarly to IND-RCCA [CKN03], the Open oracle returns ⊥if the signature opens to i0 or i1.
FORMALIZING GROUP BLIND SIGNATURES . . . 9
SECURITY OF GROUP BLIND SIGNATURES
I Traceability: The adversary cannot output an untraceablesignature.
AddSAddS
CrptSCrptS
ReadRegReadReg
SSKSSK
SndToISndToI
gpk,ok
Σ,m
Adversary wins if all the following holds:Σ verifies on m.Either Σ does not open to a signer in the group or Judge doesnot accept the Opener’s decision on Σ.
FORMALIZING GROUP BLIND SIGNATURES . . . 10
SECURITY OF GROUP BLIND SIGNATURES
I Non-Frameability: The adversary cannot output a signature thattraces to an honest member who did not produce it.
gpk,ik,ok
CrptSCrptS
ModifyRegModifyReg
SSKSSK id,Σ1,m1,...,Σn+1,mn+1
SndToSSndToS
... OSignOSign
Adversary wins if all the following holds:∀i ∈ {1, . . . , n + 1}, Σi verifies on mi, opens to id and theopening is accepted by Judge.The adversary asked for only n signatures by signer id.If weak unforgeability, the messages are distinct.
FORMALIZING GROUP BLIND SIGNATURES . . . 11
SECURITY OF GROUP BLIND SIGNATURES
I Blindness: Group members do not learn the message beingsigned.
Open†Open†
SSKSSK
CrptSCrptS
SndToSSndToS
b*
ModifyRegModifyRegReadRegReadReg
Obtain(gpk,mb)Obtain(gpk,mb)
gpk,ik
Obtain(gpk,m1-b)Obtain(gpk,m1-b)
m0,m1
Σb
Σ1-b
b←{0,1}
(Σ0,Σ1) or (┴,┴)
Adversary wins if: b = b∗.I † If strong unforgeability, the Open oracle returns ⊥ if
(m,Σ) = (mb,Σb) or (m,Σ) = (m1−b,Σ1−b).I If weak unforgeability, the Open oracle returns ⊥ if
m ∈ {m0,m1}.FORMALIZING GROUP BLIND SIGNATURES . . . 12
CONSTRUCTION CHALLENGES
How to realize the subtle dual privacy requirement and
1 Maintain round optimality
2 Avoid idealized assumptions
?
FORMALIZING GROUP BLIND SIGNATURES . . . 13
(PRIME-ORDER) BILINEAR GROUPS
G1, G2, GT are finite cyclic groups of prime order p, whereG1 := 〈G1〉 and G2 := 〈G2〉.
Pairing (e : G1 ×G2 −→ GT) :The function e must have the following properties:
I Bilinearity: ∀H1 ∈ G1 , H2 ∈ G2 x, y ∈ Z, we have
e(Hx1,H
y2) = e(H1,H2)xy.
I Non-degeneracy: The value e(G1,G2) 6= 1 generates GT .I The function e is efficiently computable.
Type-3 [GPS08]: G1 6= G2 and no efficiently computableisomorphism between G1 and G2.
FORMALIZING GROUP BLIND SIGNATURES . . . 14
GROTH-SAHAI PROOFS
Groth-Sahai proofs [GS08]:
G1 × G2f→ GT
ι1 ↓↑ ρ1 ι2 ↓↑ ρ2 ιT ↓↑ ρT
H1 := G21 × H2 := G2
2F−→ HT := G4
T
The system work by first committing to (encrypting) the witness andthen producing a proof for the statement.
The system can be instantiated in either:I The simulation setting⇒ perfectly hiding proofs.I The extraction setting⇒ perfectly sound proofs.
The limitations:1 Can only extract one-way function (i.e. Gw
i ) of an exponentwitness w.
2 Cannot simulate and extract at the same time.FORMALIZING GROUP BLIND SIGNATURES . . . 15
GROTH-SAHAI PROOFS
Useful Properties of Groth-Sahai Proofs:I Independence of public terms (Also, independently observed by
[Fuc11]):Example:
E :=
n∏j=1
e(Aj,Yj)
m∏i=1
e(Xi,Bi)
m∏i=1
n∏j=1
e(Xi,Yj)γi,j = tT ,
a proof Π for E is independent of tT ⇒ we can transform Π intoa NIZK/NIWI proof for a related equation without knowledge ofthe original witness.
I Re-randomizability of proofs [BCCKLS09]:Re-randomize the GS commitments and update the proofs⇒ thenew proof is unlinkable to the old one.
FORMALIZING GROUP BLIND SIGNATURES . . . 16
A NEW STRUCTURE-PRESERVING SIGNATURE SCHEME
NCL is based on the CL signature scheme [CL04]:
THE NCL SIGNATURE SCHEME
KeyGen: Choose x, y← Zp, set sk := (x, y) andpk := (X := Gx
2,Y := Gy2).
Sign: To sign (M1,M2) ∈ G1 ×G2, return ⊥ ife(M1,G2) 6= e(G1,M2); otherwise, computeσ :=
(A := Ga
1, B := Ay, C := May1 , D := (A · C)x
)∈ G4
1.
Verify: Check that A 6= 1G1 and
e(B,G2) = e(A,Y)
e(C,G2) = e(B,M2)
e(D,G2) = e(A · C,X)
FORMALIZING GROUP BLIND SIGNATURES . . . 17
A NEW STRUCTURE-PRESERVING SIGNATURE SCHEME
NCL is secure under the (interactive) DH-LRSW assumption:
DEFINITION (DUAL-HIDDEN LRSW (DH-LRSW) ASSUMPTION)
Given (Gx2,G
y2) for x, y← Zp and an oracle that on input a pair
(M1,M2) ∈ G1 ×G2 outputs:I ⊥ if e(M1,G2) 6= e(G1,M2).I A DH-LRSW tuple
(Ga
1,Gay1 ,M
ay1 ,A
x ·Maxy1
)for a← Zp
otherwise.
, it is infeasible to compute a DH-LRSW tuple for (M′1,M′2) that was
never queried to the oracle.
FORMALIZING GROUP BLIND SIGNATURES . . . 18
THE BLIND SIGNATURE SCHEME [FUC09]
As an example, we use the blind signature scheme by [Fuc09] basedon the following automorphic signature scheme:
THE AUTOMORPHIC SIGNATURE SCHEME [FUC09]
Setup: Given (e,G1,G2,GT ,G1,G2, p), choose F,K,T ← G1.
KeyGen: Choose s← Zp and set pk := (S1, S2) = (Gs1,G
s2).
Sign: To sign (M1,M2) ∈ G1 ×G2 wheree(M1,G2) = e(G1,M2), choose r, c← Zp and compute:
H := (K · Tr ·M1)1
x+c ,R1 := Gr1,R2 := Gr
2,C1 := Fc,C2 := Gc2.
The signature is σ := (H,R1,C1,R2,C2) ∈ G31 ×G2
2.
Verify: Check that
e(H, S2 · C2) = e(K ·M1,G2)e(T,R2)
e(C1,G2) = e(F,C2)
e(R1,G2) = e(G1,R2)
FORMALIZING GROUP BLIND SIGNATURES . . . 19
THE BLIND SIGNATURE SCHEME [FUC09]
The automorphic signature scheme is secure under:
DEFINITION (AWFCDH ASSUMPTION)
Given (G1,Ga1,G2) ∈ G×1
2 ×G×2 for a← Zp, it is infeasible to outputa tuple (Gb
1,Gab1 ,G
b2,G
ab2 ) ∈ G×1
2 ×G×22 for an arbitrary b ∈ Zp.
DEFINITION (q-ADHSDH ASSUMPTION)
Given (G1,F,K,Gx1,G2,Gx
2) ∈ G×14 ×G×2
2 for x← Zp, and q− 1
tuples (Ai := (K · Gri1 )
1x+ci ,C1,i := Fci ,C2,i := Gci
2 ,R1,i := Gri1 ,R2,i :=
Gri2 )q−1
i=1 , where ci, ri ← Zp, it is infeasible to output a new tuple (A∗,C∗1 ,C
∗2 ,R∗1,R∗2).
FORMALIZING GROUP BLIND SIGNATURES . . . 20
FISCHLIN’S GENERIC CONSTRUCTION FOR BLIND SIGNATURES
To get a round-optimal blind signature, Fischlin’s framework [Fis06]:
1 The user sends a commitment C to the message M to the signer.
2 The signer responds with a signature σ on the commitment C.3 The final blind signature Σ is a NIZK PoK Π of C and σ s.t.
1 σ is a valid signature on C w.r.t. pk.2 C is a commitment to M.
FORMALIZING GROUP BLIND SIGNATURES . . . 21
SIGNER-ANONYMOUS BLIND SIGNATURES
In Fischlin’s framework If:
1 The PoK used is re-randomizable and independent of the publicterms, e.g. Groth-Sahai proofs.
2 The signature scheme has the property that all the termsinvolving the message in the verification equations areindependent of the signature components relying on the signingkey, e.g. [Fuc09].
, we obtain a signer-anonymous blind signature.
FORMALIZING GROUP BLIND SIGNATURES . . . 22
SIGNER-ANONYMOUS BLIND SIGNATURES
Modify the Fischlin’s framework as follows:
1 The user sends a commitment C to the message M.2 The signer signs C and responds with a PoK Π′ of σ and pk s.t.
1 σ is a valid signature on C w.r.t. pk.3 The user proceeds as follows:
1 Re-randomizes Π′ into a fresh proof Π.2 Adds to Π a proof that C is a commitment to M.
The final signer-anonymous blind signature Σ is Π.
FORMALIZING GROUP BLIND SIGNATURES . . . 23
SIGNER-ANONYMOUS BLIND SIGNATURES
Security:
I Unforgeability: As in Fischlin’s framework.I Blindness: As in Fischlin’s framework + Re-randomizability of
the PoK.I Anonymity: The hiding (i.e. NIWI/NIZK) properties of the
PoK.
FORMALIZING GROUP BLIND SIGNATURES . . . 24
FROM A SIGNER-ANONYMOUS BS TO A GBS
To extend the signer-anonymous BS to a GBS, we need:
1 A signature scheme CERT to certify members’ public keyswhen they join.
⇒ Give skCERT to the Issuer as ik.
2 Give the PoK extraction key to the Opener as ok.
3 The signer additionally needs to prove that he has a certificate onhis public key w.r.t. pkCERT, i.e. that he is a member of the group.
FORMALIZING GROUP BLIND SIGNATURES . . . 25
INSTANTIATIONS
I Instantiation IThe Join Protocol: Uses the NCL signature scheme.The Signing Protocol: Based on the BS by [Fuc09] (i.e. Theautomorphic signature scheme + GS proofs).
Assumptions: DH-LRSW, SXDH, AWFCDH and q-ADHSDH.
I The Pros ,: More efficient (signature size is G381 + G36
2 ).I The Cons /: Involves some interactive intractability
assumptions (i.e. the DH-LRSW assumption).
FORMALIZING GROUP BLIND SIGNATURES . . . 26
INSTANTIATIONS
I Instantiation IIThe Join Protocol: Uses the automorphic signature scheme [Fuc09].The Signing Protocol: Based on the BS by [Fuc09] (i.e. theautomorphic signature scheme [Fuc09] + GS proofs).
Assumptions: SXDH, AWFCDH and q-ADHSDH.
I The Pros ,: Only relies on falsifiable intractability assumptions.I The Cons /: Less efficient (signature size is G42
1 + G382 ).
FORMALIZING GROUP BLIND SIGNATURES . . . 27
ACHIEVING FULL ANONYMITY
Groth-Sahai proofs are not simulation-sound⇒ when simulating, wecan no longer answer Open queries.
Q: How to achieve full anonymity?A: One way is to combine Groth-Sahai proofs with an IND-CCA2encryption scheme.I ⇒ The signer additionally encrypts the witness and proves that it
was done correctly. When simulating, decrypt the ciphertext torecover the witness.
The encryption scheme needs to be re-randomizable, e.g. maybe wecould use an IND-RCCA encryption scheme.
FORMALIZING GROUP BLIND SIGNATURES . . . 28
ACHIEVING FULL ANONYMITY
Groth-Sahai proofs are not simulation-sound⇒ when simulating, wecan no longer answer Open queries.
Q: How to achieve full anonymity?A: One way is to combine Groth-Sahai proofs with an IND-CCA2encryption scheme.I ⇒ The signer additionally encrypts the witness and proves that it
was done correctly. When simulating, decrypt the ciphertext torecover the witness.
The encryption scheme needs to be re-randomizable, e.g. maybe wecould use an IND-RCCA encryption scheme.
FORMALIZING GROUP BLIND SIGNATURES . . . 28
SUMMARY
I A formal security model for the primitive.I Round-optimal constructions.I The first constructions without idealized assumptions.
FORMALIZING GROUP BLIND SIGNATURES . . . 29
OPEN PROBLEMS
I Efficient fully-anonymous instantiations.I More efficient constructions without idealized assumptions.
FORMALIZING GROUP BLIND SIGNATURES . . . 30
THE END
Thank you for your attention!Questions?
FORMALIZING GROUP BLIND SIGNATURES . . . 31
top related