![Page 1: Short&Accountable&Ring&Signatures Based&on&DDH](https://reader031.vdocuments.mx/reader031/viewer/2022012101/6169f2f011a7b741a34d2741/html5/thumbnails/1.jpg)
Short Accountable Ring SignaturesBased on DDH
Jonathan Bootle, Andrea Cerulli, Pyrros Chaidos, Essam Ghadafi, Jens Groth, and Christophe Petit
University College London
![Page 2: Short&Accountable&Ring&Signatures Based&on&DDH](https://reader031.vdocuments.mx/reader031/viewer/2022012101/6169f2f011a7b741a34d2741/html5/thumbnails/2.jpg)
Signature SchemesLink message to single entity
โ Signerโ Verifier S
๐, ๐V
![Page 3: Short&Accountable&Ring&Signatures Based&on&DDH](https://reader031.vdocuments.mx/reader031/viewer/2022012101/6169f2f011a7b741a34d2741/html5/thumbnails/3.jpg)
Signature SchemesLink message to single entity
โ Signerโ Verifier
โขLink message to multiple entities:
S๐, ๐
V
![Page 4: Short&Accountable&Ring&Signatures Based&on&DDH](https://reader031.vdocuments.mx/reader031/viewer/2022012101/6169f2f011a7b741a34d2741/html5/thumbnails/4.jpg)
Ring Signaturesโ Usersโ Verifier
Signature SchemesLink message to single entity
โ Signerโ Verifier
โขLink message to multiple entities:
S๐, ๐
V
![Page 5: Short&Accountable&Ring&Signatures Based&on&DDH](https://reader031.vdocuments.mx/reader031/viewer/2022012101/6169f2f011a7b741a34d2741/html5/thumbnails/5.jpg)
Ring Signaturesโ Usersโ Verifier
Signature SchemesLink message to single entity
โ Signerโ Verifier
โขLink message to multiple entities:
S๐, ๐
๐, ๐,R
๐$, ๐$,Rโฒ
V
![Page 6: Short&Accountable&Ring&Signatures Based&on&DDH](https://reader031.vdocuments.mx/reader031/viewer/2022012101/6169f2f011a7b741a34d2741/html5/thumbnails/6.jpg)
Ring Signaturesโ Usersโ Verifier
Group Signaturesโ Managerโ Usersโ Verifier
Signature SchemesLink message to single entity
โ Signerโ Verifier
โขLink message to multiple entities:
S๐, ๐
๐, ๐,R
๐$, ๐$,Rโฒ
V
![Page 7: Short&Accountable&Ring&Signatures Based&on&DDH](https://reader031.vdocuments.mx/reader031/viewer/2022012101/6169f2f011a7b741a34d2741/html5/thumbnails/7.jpg)
Ring Signaturesโ Usersโ Verifier
Group Signaturesโ Managerโ Usersโ Verifier
Signature SchemesLink message to single entity
โ Signerโ Verifier
โขLink message to multiple entities:
S๐, ๐
๐, ๐,R
๐$, ๐$,Rโฒ
V
M
๐ฉ , ๐
![Page 8: Short&Accountable&Ring&Signatures Based&on&DDH](https://reader031.vdocuments.mx/reader031/viewer/2022012101/6169f2f011a7b741a34d2741/html5/thumbnails/8.jpg)
Ring Signaturesโ Usersโ Verifier
Group Signaturesโ Managerโ Usersโ Verifier
Signature SchemesLink message to single entity
โ Signerโ Verifier
โขLink message to multiple entities:
S๐, ๐
๐, ๐,R
๐$, ๐$,Rโฒ
V
M
๐ฉ , ๐ Open(๐)
๐
![Page 9: Short&Accountable&Ring&Signatures Based&on&DDH](https://reader031.vdocuments.mx/reader031/viewer/2022012101/6169f2f011a7b741a34d2741/html5/thumbnails/9.jpg)
Accountable Ring Signatures [Xu and Yung]Link message to multiple entities
โข Usersโข Opener(s)โข Verifier
๐ฉ , ๐,R
๐$, ๐$,๐ โฒ
O
Open(๐)
![Page 10: Short&Accountable&Ring&Signatures Based&on&DDH](https://reader031.vdocuments.mx/reader031/viewer/2022012101/6169f2f011a7b741a34d2741/html5/thumbnails/10.jpg)
Accountable Ring Signatures
โข Setup, OpenerKeyGen, UserKeyGenโข Sign, Vfyโข Open, Judge
Security:โข Correctnessโข Full Unforgeabilityโข Anonymityโข Traceability with Tracing Soundness
![Page 11: Short&Accountable&Ring&Signatures Based&on&DDH](https://reader031.vdocuments.mx/reader031/viewer/2022012101/6169f2f011a7b741a34d2741/html5/thumbnails/11.jpg)
Components for Accountable Ring Signatures
โข One-ยญโway functions (๐๐ฅ)โข Homomorphic Commitments (Pedersen)
โข ๐ถ๐๐ ๐5 โ ๐ถ๐๐ ๐7 = ๐ถ๐๐ ๐5 โ ๐7
โข IND-ยญโCPA Encryption (ElGamal)โข Non-ยญโInteractive Zero Knowledge Proofsโข Signatures of Knowledge
![Page 12: Short&Accountable&Ring&Signatures Based&on&DDH](https://reader031.vdocuments.mx/reader031/viewer/2022012101/6169f2f011a7b741a34d2741/html5/thumbnails/12.jpg)
ฮฃ-ยญโProtocols
โข 3-ยญโmove protocols for some NP relation ๐ โข Prover demonstrates a statement ๐ฅ โ ๐ฟ;: there exists ๐ค s.t. ๐ฅ, ๐ค โ ๐
0/1
โข Completeness: outputs 1 for ๐ฅ โ ๐ฟ;โข ๐-ยญโSpecial Soundness: ๐ accepting ๐, ๐ง pairs for same ๐ฅ, ๐:we obtain wโข Special Honest Verifier Zero Knowledge: Transcripts between and
honest can be efficiently simulated for any challenge ๐
๐๐๐ง
![Page 13: Short&Accountable&Ring&Signatures Based&on&DDH](https://reader031.vdocuments.mx/reader031/viewer/2022012101/6169f2f011a7b741a34d2741/html5/thumbnails/13.jpg)
Non-ยญโInteractive Zero Knowledge Proofs
โข 1-ยญโmove protocols for some NP relation ๐ โข Fiat-ยญโShamir: challenge is hash of the transcript
0/1
โข Completeness: outputs 1 for ๐ฅ โ ๐ฟ;โข Soundness: If ๐ฅ โ ๐ฟ;, almost never outputs 1โข Zero Knowledge: Proofs can be efficiently simulated
๐ฅ, ๐
![Page 14: Short&Accountable&Ring&Signatures Based&on&DDH](https://reader031.vdocuments.mx/reader031/viewer/2022012101/6169f2f011a7b741a34d2741/html5/thumbnails/14.jpg)
Signatures of Knowledge
โข 1-ยญโmove protocols for some NP relation ๐ , given common reference string ๐๐๐
โข Prover demonstrates, w.r.t. message ๐,knowledge of ๐ค for statement ๐ฅ โ ๐ฟ;: ๐ฅ, ๐ค โ ๐ 0/1
โข Extractability: If produces good signatures, extract ๐ค by rewindingโข Straightline ๐-ยญโExtractability: we can extract ๐(๐ค) without rewinding โข Simulatability: signatures can be efficiently simulated
โข Extractor, Simulator is given control of ๐๐๐ creation
๐ฅ, ๐, ๐
![Page 15: Short&Accountable&Ring&Signatures Based&on&DDH](https://reader031.vdocuments.mx/reader031/viewer/2022012101/6169f2f011a7b741a34d2741/html5/thumbnails/15.jpg)
Construction
โข Setup: Choose discrete log group ๐ข , generator ๐and common reference string ๐๐๐
โข OpenerKeyGen: Create ElGamal keypair, publish ๐๐
โข UserKeyGen: Pick secret key ๐ ๐,output verification key ๐ฃ๐ = ๐MN
![Page 16: Short&Accountable&Ring&Signatures Based&on&DDH](https://reader031.vdocuments.mx/reader031/viewer/2022012101/6169f2f011a7b741a34d2741/html5/thumbnails/16.jpg)
Signing
โข Choose ring ๐ = ๐ฃ๐O, ๐ฃ๐5,โฆ , ๐ฃ๐ โฆ , ๐ฃ๐N
โข Prove ๐ฃ๐ โ ๐ โข Attach encryption ๐ of ๐ฃ๐ so opener can traceโข Prove knowledge of ๐ ๐ = log (๐ฃ๐)โข Prove knowledge, correctness of ๐โข Bind ๐ to message๐ via Fiat-ยญโShamir
๐ MTU =(๐ , ๐), (๐ ๐, ๐ ):
๐ฃ๐ โ ๐ โง ๐ฃ๐ = ๐MN โง ๐ = ๐ธ(๐ฃ๐; ๐)
![Page 17: Short&Accountable&Ring&Signatures Based&on&DDH](https://reader031.vdocuments.mx/reader031/viewer/2022012101/6169f2f011a7b741a34d2741/html5/thumbnails/17.jpg)
Signing
โข Choose ring ๐ = ๐ฃ๐O, ๐ฃ๐5,โฆ , ๐ฃ๐ โฆ , ๐ฃ๐N
โข Prove ๐ฃ๐ โ ๐ โข Attach encryption ๐ of ๐ฃ๐ so opener can traceโข Prove knowledge of ๐ ๐ = log (๐ฃ๐)โข Prove knowledge, correctness of ๐โข Bind ๐ to message๐ via Fiat-ยญโShamir
๐ MTU =(๐ , ๐), (๐ ๐, ๐ ):
๐ฃ๐ โ ๐ โง ๐ฃ๐ = ๐MN โง ๐ = ๐ธ(๐ฃ๐; ๐)
![Page 18: Short&Accountable&Ring&Signatures Based&on&DDH](https://reader031.vdocuments.mx/reader031/viewer/2022012101/6169f2f011a7b741a34d2741/html5/thumbnails/18.jpg)
Signing
โข Choose ring ๐ = ๐ฃ๐O, ๐ฃ๐5, โฆ , ๐ฃ๐ โฆ , ๐ฃ๐Nโข Prove ๐ฃ๐ โ ๐
Could prove: ๐ฃ๐ = ๐ฃ๐O OR ๐ฃ๐ = ๐ฃ๐5 OR โฆ OR ๐ฃ๐ = ๐ฃ๐Nโ Linear size: too big for large rings
Use One-ยญโout-ยญโof-ยญโMany proof by Groth and Kohlweissโ Take ๐T = ๐/๐ธ ๐ฃ๐T ; 0โ Use modified GK to show one node encrypts 1
![Page 19: Short&Accountable&Ring&Signatures Based&on&DDH](https://reader031.vdocuments.mx/reader031/viewer/2022012101/6169f2f011a7b741a34d2741/html5/thumbnails/19.jpg)
GK idea
โข We want to open ๐Y without revealing ๐
โข ๐Y = โ๐T\] , where ฮT = 1 โ ๐ = ๐
โข Commit to ฮT. Also commit to blinders ๐Tโข Given challenge x, reply with fT = x โ ฮT + ๐Tโข โ๐T
e] = ๐Yf โ โ๐Tg]
![Page 20: Short&Accountable&Ring&Signatures Based&on&DDH](https://reader031.vdocuments.mx/reader031/viewer/2022012101/6169f2f011a7b741a34d2741/html5/thumbnails/20.jpg)
GK idea
โข We want to open ๐Y without revealing ๐
โข ๐Y = โ๐T\] , where ฮT = 1 โ ๐ = ๐
โข Commit to ฮT. Also commit to blinders ๐Tโข Given challenge x, reply with fT = x โ ฮT + ๐Tโข โ๐T
e] = ๐Yf โ โ๐Tg]
โข ๐บ = โ๐Tg]does not depend on x. Rerandomize as ๐บโ
![Page 21: Short&Accountable&Ring&Signatures Based&on&DDH](https://reader031.vdocuments.mx/reader031/viewer/2022012101/6169f2f011a7b741a34d2741/html5/thumbnails/21.jpg)
GK idea
โข We want to open ๐Y without revealing ๐
โข ๐Y = โ๐T\] , where ฮT = 1 โ ๐ = ๐
โข Commit to ฮT. Also commit to blinders ๐Tโข Given challenge x, reply with fT = x โ ฮT + ๐Tโข โ๐T
e] = ๐Yf โ โ๐Tg]
โข ๐บ = โ๐Tg]does not depend on x. Rerandomize as ๐บโ
, reveal ๐บโฒ
![Page 22: Short&Accountable&Ring&Signatures Based&on&DDH](https://reader031.vdocuments.mx/reader031/viewer/2022012101/6169f2f011a7b741a34d2741/html5/thumbnails/22.jpg)
GK idea
โข We want to open ๐Y without revealing ๐
โข ๐Y = โ๐T\] , where ฮT = 1 โ ๐ = ๐
โข Commit to ฮT. Also commit to blinders ๐Tโข Given challenge x, reply with fT = x โ ฮT + ๐Tโข โ๐T
e] = ๐Yf โ โ๐Tg]
โข ๐บ = โ๐Tg]does not depend on x. Rerandomize as ๐บโ
โข โ๐Te] ๐บ$โ = ๐Yf โ ๐ธ 1;๐ = ๐ธ(1; ๐$)
, reveal ๐บโฒ
![Page 23: Short&Accountable&Ring&Signatures Based&on&DDH](https://reader031.vdocuments.mx/reader031/viewer/2022012101/6169f2f011a7b741a34d2741/html5/thumbnails/23.jpg)
n-ยญโtree GK
10 0
0 010 01 0 01
โข Split ๐, ฮT by level: ๐ = โ๐l โ ๐l ๐ฟ๐l, ๐ : ฮT = โ ๐ฟTo,l
Height m n-ยญtree
![Page 24: Short&Accountable&Ring&Signatures Based&on&DDH](https://reader031.vdocuments.mx/reader031/viewer/2022012101/6169f2f011a7b741a34d2741/html5/thumbnails/24.jpg)
n-ยญโtree GK
10 0
0 010 01 0 01
โข Split ๐, ฮT by level: ๐ = โ๐l โ ๐l ๐ฟ๐l, ๐ : ฮT = โ ๐ฟTo,lโข Commit to ๐ฟ๐l, ๐, prove 0/1, for each ๐ exactly one ๐ฟ๐l, ๐ is 1
Height m n-ยญtree
๐ = 3๐O = 1๐5 = 0
๐ฟO = [0,1,0]
๐ฟ5 = [1,0,0]
![Page 25: Short&Accountable&Ring&Signatures Based&on&DDH](https://reader031.vdocuments.mx/reader031/viewer/2022012101/6169f2f011a7b741a34d2741/html5/thumbnails/25.jpg)
n-ยญโtree GK
โข Commit to ๐ฟl,To . Also commit to blinders ๐T,lโข Given challenge x, reply with fl,To = x โ ๐ฟl,To + ๐l,Toโข Let ๐T(๐ฅ) = โ๐l,Toโข Key point: ๐ฅs appears only if all ๐ฟl,To are 1 i.e ๐ = ๐
โข ๐T ๐ฅ = ฮt๐ฅs + โ ๐T,N๐ฅNsu5NvO where ๐T,N depend on ๐, ๐l,To
โข โ๐Tw] f = ๐Y โ โ ๐N๐ฅNsu5
NvO
โข ๐N do not depend on x.
![Page 26: Short&Accountable&Ring&Signatures Based&on&DDH](https://reader031.vdocuments.mx/reader031/viewer/2022012101/6169f2f011a7b741a34d2741/html5/thumbnails/26.jpg)
n-ยญโtree GKโข ๐N do not depend on ๐ฅโข We commit beforehand as ๐บN
โข What is โ๐Tโe]o,o โ ๐บNf
yzsu5NvO ?
โข If ๐Y is an encryption of 1, result is encryption of 1
โข Otherwise, with overwhelming probability itโs an encryption of a value โ 1, so canโt be opened to 1
![Page 27: Short&Accountable&Ring&Signatures Based&on&DDH](https://reader031.vdocuments.mx/reader031/viewer/2022012101/6169f2f011a7b741a34d2741/html5/thumbnails/27.jpg)
Opening
โข Openโ Check if ๐ actually verifiesโ Decrypt ciphertext ๐ attached in signatureโ Prove correctness of decryption in Zero Knowledge
โข Judgeโ Check decryption correctness
![Page 28: Short&Accountable&Ring&Signatures Based&on&DDH](https://reader031.vdocuments.mx/reader031/viewer/2022012101/6169f2f011a7b741a34d2741/html5/thumbnails/28.jpg)
Simulated Opening & Straightline Extractability
โข To prove anonymity, we do an IND-ยญโCCA style proofโ Need to extract ๐ฃ๐ from sigsโ Canโt see the key
โข Adversary can obstruct rewindingโ Adversaryโs signatures related to each otherโ Rewinding to open one changes previous โmore rewinding
โข We need to extract ๐ฃ๐ = ๐MN with no rewindingโ Cheap solution: Attach 2nd encryption of ๐ฃ๐ to proof [NY]โ Simulator has 2nd key in simulationโ Nobody has the key in real world
![Page 29: Short&Accountable&Ring&Signatures Based&on&DDH](https://reader031.vdocuments.mx/reader031/viewer/2022012101/6169f2f011a7b741a34d2741/html5/thumbnails/29.jpg)
Efficiency
โข log ๐ + 12 Group Elements
โข ๏ฟฝ7log ๐ + 6 Field Elements
โข Competitive vs sRSA/DDH schemesScheme |๐ | = 128 |๐ | = 1024 |๐ | = 1Mi[CG05] โ 2048 sRSA + d.Log 10 Kib 10 Kib 10 KibThis โ 192 ECC 6.7 Kib 8.1Kib 12.75 KibThis โ 192 ECC 7.8 Kib 9.4 Kib 14.875 Kib
โข Linear expos (or worse) to Signโข Linear expos to Verify
![Page 30: Short&Accountable&Ring&Signatures Based&on&DDH](https://reader031.vdocuments.mx/reader031/viewer/2022012101/6169f2f011a7b741a34d2741/html5/thumbnails/30.jpg)
โข Accountable Ring Signatures can be best of both worldsโ Tracing functionality of Group sigsโ Free choice of ringโ Free choice of openerโ Can derive Ring and Group signatures
โข Signature size:โ Competitive vs sRSA/DDH schemesโ Better than 50% size improvement overoriginal GK construction: binary โ๐-ยญโtree,mixed Com+Enc
Summary
๐ฉ , ๐,R
Open(๐)
๐$, ๐$,๐ โฒ
![Page 31: Short&Accountable&Ring&Signatures Based&on&DDH](https://reader031.vdocuments.mx/reader031/viewer/2022012101/6169f2f011a7b741a34d2741/html5/thumbnails/31.jpg)
Thanks!