Blind Signatures Sanjam Garg Vanishree Rao Amit Sahai - - PowerPoint PPT Presentation

blind signatures
SMART_READER_LITE
LIVE PREVIEW

Blind Signatures Sanjam Garg Vanishree Rao Amit Sahai - - PowerPoint PPT Presentation

May 22, 2023 912 likes •1.15k views

Round Optimal Blind Signatures Sanjam Garg Vanishree Rao Amit Sahai UCLA Dominique Schroeder* Dominique Unruh University of Maryland University of Tartu (http://eprint.iacr.org/2011/264) *Postdoctoral Fellow of the DAAD Blind

slide-1
SLIDE 1

Round Optimal Blind Signatures

Sanjam Garg Vanishree Rao Amit Sahai Dominique Schroeder* Dominique Unruh

*Postdoctoral Fellow of the DAAD

UCLA

University of Maryland University of Tartu

(http://eprint.iacr.org/2011/264)

slide-2
SLIDE 2

Blind signatures [C85]

  • Signer does not “see” the message m
  • User cannot produce more signatures then #

interactions

signer user

CRYPTO 2011 2 Dominique Schröder

slide-3
SLIDE 3

Blind signatures [C85]

  • Signer does not “see” the message m
  • User cannot produce more signatures then #

interactions

signer user

CRYPTO 2011 3 Dominique Schröder

slide-4
SLIDE 4

Applications

CRYPTO 2011 4 Dominique Schröder

  • eCash
  • eVoting

– User cannot vote for an additional candidate (unforgeability), voting agency does not see the vote (blindness) – FIFA world soccer cup selected in 2002 Most Valuable Player using Votopia

  • Anonymous credentials

– Microsoft U-PROVE – National Strategy for Trusted Identities in Cyberspace - NISTIC

slide-5
SLIDE 5

What’s next?

  • Security model
  • Our contribution
  • Related work
  • Construction
  • Relation to FS [10]

CRYPTO 2011 5 Dominique Schröder

slide-6
SLIDE 6

Security model

Unforgeability [JLO97,PS00] n-times signer user

CRYPTO 2011 6 Dominique Schröder

slide-7
SLIDE 7

Security model

Blindness [JLO97,PS00] user user

CRYPTO 2011 7 Dominique Schröder

(Aborts: PKC, FS[09])

slide-8
SLIDE 8

Simple question:

CRYPTO 2011 Dominique Schröder 8

signer user

Two moves?

slide-9
SLIDE 9

Known constructions

CRYPTO 2011 Dominique Schröder 9

  • ver 80 papers published

Chaum, Boldyreva: interactive assumption, ROM Fischlin: CRS 2 moves (optimal): 3 moves: Pointcheval Stern, Abe ROM 4 moves: Okamoto TCC06

slide-10
SLIDE 10

Simple question:

CRYPTO 2011 Dominique Schröder 10

signer user

Prove the security of a known two move scheme in the standard model. Construct a completely new scheme. Reduce the round complexity

  • f a known scheme.
slide-11
SLIDE 11

Simple question:

CRYPTO 2011 Dominique Schröder 11

Prove the security of a known two move scheme in the standard model. Fischlin, S[FS10]: No security reduction for one of the known two/three moves schemes to any non-interactive problem in the standard model.

Extension: Pass (STOC 11): unique blind signature.

slide-12
SLIDE 12

Simple question:

CRYPTO 2011 Dominique Schröder 12

signer user

Two moves?

(Caution: actual results may vary)

slide-13
SLIDE 13

First stab

  • Idea: Use Yao’s garbled circuit with OT
  • Yao allows private evaluation of any general

circuit

– Consider the signature evaluation circuit

  • We also need a 2 round OT protocol [NP01,

AIR01]

– This protocol is not simulatable – Computational security for sender and statistical security for receiver

CRYPTO 2011 Sanjam Garg 13

slide-14
SLIDE 14

First stab

  • Idea: Use Yao’s garbled circuit with a 2 round

OT protocol [NP01, AIR01]

CRYPTO 2011 Sanjam Garg 14

signer user

OT1 OT2,Yao

Problem: 1) Yao is only semi-honest secure and 2) OT is not simulatable

Need to make it fully secure.

slide-15
SLIDE 15

Cheating signer

CRYPTO 2011 Sanjam Garg 15

signer user

OT1 OT2,Yao

  • What can a cheating signer do to break

blindness?

– Encode any arbitrary function inside the Yao’s garbled circuit. – Manipulate the randomness used in signing to break blindness

Unique signature In fact PRF suffices More fundamental issue

slide-16
SLIDE 16

Enforcing correct behavior

  • Signer additionally needs to prove correctness of

its actions.

  • Idea: Use a proof protocol

– What proof protocol can be used? – Standard ZK requires 3 rounds

CRYPTO 2011 Sanjam Garg 16

signer user

OT1 OT2,Yao

slide-17
SLIDE 17

Super-Poly Simulation based ZK [Pass03]

CRYPTO 2011 Sanjam Garg 17

Prover Verifier

x in L

Accepts/Rejects

  • Zero Knowledge – For every cheating verifier V

there exists a simulator S running in super poly time that can simulate the view of the verifier

zk1 zk2

slide-18
SLIDE 18

Protocol so far

  • We have limited the signer in cheating by

– Using deterministic signatures – Enforcing honest behavior by a Zero Knowledge protocol

  • Have we solved the problem of cheating signer?

– Subtle issue remains: in proof of security, need to extract signatures – Solution: Use super-poly-time extraction – But can avoid the use of super-poly-time by specific rewinding technique (see paper)

CRYPTO 2011 Sanjam Garg 18

signer user

OT1,zk1 OT2,Yao, zk2

slide-19
SLIDE 19

Cheating user – arguing unforgeability

  • Simulator simulating the view of the verifier is

super-polynomial

  • Deal with this by using signature scheme that

is unforgeable even by an adversary secure against super-poly time adversaries. (complexity leveraging)

  • This allows us to argue unforgeability.

CRYPTO 2011 Sanjam Garg 19

slide-20
SLIDE 20

Relation to FS[10]

CRYPTO 2011 Sanjam Garg 20

  • FS[10] proved impossibility of three round

blind signature schemes

  • Restricted to blind signature schemes with

some technical properties

  • Blindness holds with respect to a forgery
  • racle as well
  • Our scheme avoids this, but still achieves full

security.

slide-21
SLIDE 21

Open Problems

CRYPTO 2011 Sanjam Garg 21

  • Improvements in terms of assumptions
  • We require sub-exponentially hard OWFs,

trapdoor permutations and DDH

(Impossible from OWP: Katz, S, Yerukhimovich, TCC 2011)

  • Efficient constructions
slide-22
SLIDE 22

Thanks

CRYPTO 2011 Sanjam Garg and Dominique Schröder 22

Amit Sahai Dominique Unruh Vanishree Rao