Attribute-Based Signatures for Unbounded Languages from Standard - - PowerPoint PPT Presentation
Attribute-Based Signatures for Unbounded Languages from Standard Assumptions Yusuke Sakai (AIST, Japan) Shuichi Katsumata (AIST, Japan / U. Tokyo, Japan) Nuttapong Attrapadung (AIST, Japan) Goichiro Hanaoka (AIST, Japan) 1 Our Contribution
Attribute-Based Signatures for Unbounded Languages from Standard Assumptions
Yusuke Sakai (AIST, Japan) Shuichi Katsumata (AIST, Japan / U. Tokyo, Japan) Nuttapong Attrapadung (AIST, Japan) Goichiro Hanaoka (AIST, Japan)
1
Our Contribution
Turing machines
– A key-policy variant – The policy is described by a Turing machine (TM) – The attribute is an input to a TM
2
The scheme allows policies that accept unbounded inputs!
Agenda
3
Attribute-Based Signatures (ABS)
skP skPʹ skP P
4
a b c d e
q
Attribute-Based Signatures
skP skPʹ skx x σ ß AttrSign(pp,skP,M,x)
5
a b c d e
q
x=x1x2x3…
Attribute-Based Signatures
skP skPʹ skx x M, x, σ 1/0 ß AttrVerify(pp,M,x,σ) σ is made by someone whose policy P satisfy P(x) = 1
6
x=x1x2x3…
Agenda
7
Anonymity
skP skPʹ skx x M, x, σ Cannot tell who made σ among signers who satisfy P(x) = 1
8
Unforgeability
skP skx x M, x, σ Cannot make valid σ if P(x) = 0 skPʹ
9
Agenda
10
Certificate Approach (1/2)
skP = θP = Sign(msk, P) skPʹ = θPʹ = Sign(msk, Pʹ) skP x msk
11
Each signer receives a signature on his policy
Certificate Approach (2/2)
skP x msk M, x, σ
12
skP = θP = Sign(msk, P) skPʹ = θPʹ = Sign(msk, Pʹ)
Prove knowledge of (P, θ): (1) Verify(P, θ) = 1 (2) P(x) = 1
Difficulty
P(x) = 1
– Remind that P is a Turing machine
so we will decompose the statement
13
Prove knowledge of (P, θP): (1) Verify(P, θx) = 1 (2) P(x) = 1
Agenda
14
Idea: History of Computation
computation proceeds sequentially
“snapshots” of the machine
15
w1 w2 w3 w4 w5
q0
Idea: History of Computation
computation proceeds sequentially
“snapshots” of the machine
16
w1 w2 w3 w4 w5
q0
wʹ1 w2 w3 w4 w5
q1
Idea: History of Computation
computation proceeds sequentially
“snapshots” of the machine
17
w1 w2 w3 w4 w5
q0
wʹ1 w2 w3 w4 w5
q1
wʹ1 wʹ2 w3 w4 w5
q2
Idea: History of Computation
computation proceeds sequentially
“snapshots” of the machine
18
w1 w2 w3 w4 w5
q0
wʹ1 w2 w3 w4 w5
q1
wʹ1 wʹ2 w3 w4 w5
q2
Implement the Certificate Approach
we can rephrase the proof as follows:
θ[s,sʹ] ß Sign(msk, (s,sʹ)) ∀s à sʹ: valid transition
19
Prove knowledge of (s1, …, sT): (1) si → si+1 follows the transition function
Signing Every Possible Transition
20
s0: s1: s2:
valid transition valid transition
Prove knowledge of (s0, s1, θ1): Verify(vk, (s0, s1), θ1) = 1
Signing Every Possible Transition
21
s0: s1: s2:
valid transition valid transition
Prove knowledge of (s0, s1, θ1): Verify(vk, (s0, s1), θ1) = 1 Prove knowledge of (s1, s2, θ2): Verify(vk, (s1, s2), θ2) = 1
Signing Every Possible Transition
22
s0: s1: s2:
valid transition valid transition
Prove knowledge of (s1, …, sT, θ1, …, θT): (1) Verify((si-1,si), θi) = 1
Main Difficulty
– since snapshots have unbounded lengths
23
Prove knowledge of (s1, …, sT, θ1, …, θT): (1) Verify((si-1,si), θi) = 1
Agenda
24
Configuration
configuration
interleaved with (2) the state symbol q
– the position of q encodes the position of the head
25
w1 w2 w3 w4 w5
q
… w1 w2 q w3 w4 w5 …
Locality of Rewriting
determined by neighbors in the old configuration
26
w1 w5 w4 w3 q w2 step t: w1 w5 w4 wʹ3 w2 qʹ step t+1:
The General Cases
neighbors in the old configuration
27
a b c d Case 1 a b c d b c d e Case 2 b c d qÕ c d e q Case 3 c d qÕ e d e q x Case 4 d qÕ e xÕ e q x f Case 5 qÕ e xÕ f q x f g Case 6 e xÕ f g
a b c d e q x f g a b c d qÕ e xÕ f g
Case 1 Case 2 Case 3 Case 4 Case 5 Case 6
new:
Enforcing Validity of Transition
KGC signs on every valid 5-tuple: θ[w1, w2, w3, w4, u] ß Sign(msk, (w1, w2, w3, w4, u))
for every symbol in the new configuration
28
w1 w3 w4 w2 u
w1 w5 w4 w3 q w2 w1 w5 w4 wʹ3 w2 qʹ
new:
Enforcing Validity of Transition
KGC signs on every valid 5-tuple: θ[w1, w2, w3, w4, u] ß Sign(msk, (w1, w2, w3, w4, u))
for every symbol in the new configuration
29
w1 w3 w4 w2 u
w1 w5 w4 w3 q w2 w1 w5 w4 wʹ3 w2 qʹ
new:
Prove knowledge of (w1, w2, q, w3, qʹ, θ1): Verify(vk, (w1, w2, q, w3, qʹ), θ1) = 1
Enforcing Validity of Transition
KGC signs on every valid 5-tuple: θ[w1, w2, w3, w4, u] ß Sign(msk, (w1, w2, w3, w4, u))
for every symbol in the new configuration
30
w1 w3 w4 w2 u
w1 w5 w4 w3 q w2 w1 w5 w4 wʹ3 w2 qʹ
new:
Prove knowledge of (w2, q, w3, w4, w2, θ2): Verify(vk, (w2, q, w3, w4, w2), θ2) = 1
Enforcing Validity of Transition
KGC signs on every valid 5-tuple: θ[w1, w2, w3, w4, u] ß Sign(msk, (w1, w2, w3, w4, u))
for every symbol in the new configuration
31
w1 w3 w4 w2 u
w1 w5 w4 w3 q w2 w1 w5 w4 wʹ3 w2 qʹ
new:
Prove knowledge of (q, w3, w4, w5, wʹ3, θ3): Verify(vk, (q, w3, w4, w5, wʹ3), θ3) = 1
Agenda
32
Putting All Together
neighbors (quadratic in running time of TM)
33
w1 w2 w3 w4 wʹ5 w6 w7 w8 w9 w10 q2 w1 w2 w3 w4 q1 w6 w7 w8 w9 w10 w5 w1 w2 w3 w4 q3 wʹʹ6 w7 w8 w9 w10 wʹ5 w1 w2 w3 q4 w4 w6 w7 w8 w9 w10 wʹʹ5
Verify((wʹ5, q2, w6, w7, wʹ5), θ) = 1
The Scheme
– crs ß CRSGen(1k), (vk, sk) ß SigKg(1k)
– for every valid 5-tuple (w1, w2, w3, w4, u):
– πi,j ß Prove(crs, (wi-1,j-2, wi-1,j-1,, wi-1,j, wi+1,j, wi,j, θ))
34
w1 w3 w4 w2 u
Main Theorem
35
Theorem If the non-interactive proof system is witness-indistinguishable and extractable, the signature scheme is unforgeable, the proposed scheme is anonymous and unforgeable Theorem If SXDH assumption holds, the proposed scheme satisfies anonymity and unforgeability
Instantiate this with GS proofs in SXDH setting and structure-preserving signatures
Efficiency
36
|Γ|: The size of the tape alphabet T: The running time of the TM Signing key length Signature length Verification time O(|Γ|4) O(T2) O(T2)
Agenda
37
Summary
for unbounded languages (Turing machines)
– Uniform model of computation as the policy – No bound on the sizes of both TMs and attributes – Can be instantiated from the SXDH assumption in bilinear groups
38