Designated Verifier Signatures: Attacks, New Definitions and - PowerPoint PPT Presentation

Estonian Theory Days, Koke, Estonia Designated Verifier Signatures: Attacks, New Definitions and Constructions Helger Lipmaa Helsinki University of Technology, Finland Guilin Wang and Feng Bao Institute of Infocomm Research, Singapore Koke, ETD 2005, Estonia, 26.01.2005 Designated Verifier Signatures, Helger Lipmaa 1

Outline • Motivation for DVS • Attacks on Some Previous Constructions • New Security Notions • Our Own Construction • Conclusion Koke, ETD 2005, Estonia, 26.01.2005 Designated Verifier Signatures, Helger Lipmaa 2

Outline • Motivation for DVS • Attacks on Some Previous Constructions • New Security Notions • Our Own Construction • Conclusion Koke, ETD 2005, Estonia, 26.01.2005 Designated Verifier Signatures, Helger Lipmaa 3

Motivation I w4nt 2 read s0me b00k. But I h4ve 2 b a subscr1b3r! Th1s 1s ok, I c4n s1gn my request But 1 do not w4nt Sl1ck to show the s1gnatur3 2 oth3rs! Koke, ETD 2005, Estonia, 26.01.2005 Designated Verifier Signatures, Helger Lipmaa 4

Motivation I w4nt 2 read s0me b00k. But I h4ve 2 b a subscr1b3r! Th1s 1s ok, I c4n s1gn my request But 1 do not w4nt Sl1ck to show the s1gnatur3 2 oth3rs! My fr1end Markus sa1d I can us3 des1nated ver1f1er s1gnatures! S1nce Desmond can s1mulate such s1gnatures, the s1gnatures are non−transferable. Hej! I am Markus. Koke, ETD 2005, Estonia, 26.01.2005 Designated Verifier Signatures, Helger Lipmaa 5

More applications? • E-voting: Signy is a voter, Desmond is a tallier. Desmond gets to know voter is Signy but cannot prove it to anybody else. • Also related to privacy-preserving data-mining: ⋆ Desmond knows Signy is a loyal customer; Signy gets bonus ⋆ Desmond can add information about Signy in the database and pro- cess it later ⋆ Desmond can’t prove to anybody else that the database is correct but he trusts himself! • Etc etc etc Koke, ETD 2005, Estonia, 26.01.2005 Designated Verifier Signatures, Helger Lipmaa 6

Thus spake Markus to Signy: Signy does Public key y S = g x S Public key y D = g x D Koke, ETD 2005, Estonia, 26.01.2005 Designated Verifier Signatures, Helger Lipmaa 7

Thus spake Markus to Signy: Signy does Public key y S = g x S Public key y D = g x D Generate s ← m x S Koke, ETD 2005, Estonia, 26.01.2005 Designated Verifier Signatures, Helger Lipmaa 8

Thus spake Markus to Signy: Signy does Public key y S = g x S Public key y D = g x D Generate s ← m x S Generate random w, t, r ← Z q Koke, ETD 2005, Estonia, 26.01.2005 Designated Verifier Signatures, Helger Lipmaa 9

Thus spake Markus to Signy: Signy does Public key y S = g x S Public key y D = g x D Generate s ← m x S Generate random w, t, r ← Z q Set h ← H ( g w y t D , g r , m r ) Koke, ETD 2005, Estonia, 26.01.2005 Designated Verifier Signatures, Helger Lipmaa 10

Thus spake Markus to Signy: Signy does Public key y S = g x S Public key y D = g x D Generate s ← m x S Generate random w, t, r ← Z q Set h ← H ( g w y t D , g r , m r ) Set z ← r + ( h + w ) x S Signature σ = ( s ; w, t, h, z ) Koke, ETD 2005, Estonia, 26.01.2005 Designated Verifier Signatures, Helger Lipmaa 11

Thus spake Markus to Signy: Signy does Public key y S = g x S Public key y D = g x D Generate s ← m x S Generate random w, t, r ← Z q Set h ← H ( g w y t D , g r , m r ) Set z ← r + ( h + w ) x S Signature σ = ( s ; w, t, h, z ) D , g z y − ( h + w ) , m z ß − ( h + w ) Verify that h = H ( g w y t ) S � �� � � �� � m z − ( h + w ) xS = m r g z − ( h + w ) xS = g r Koke, ETD 2005, Estonia, 26.01.2005 Designated Verifier Signatures, Helger Lipmaa 12

Thus spake Markus to Desmond: Desmond does Public key y S = g x S Public key y D = g x D Choose any s Generate random z, α, β ← Z q D , g z y − β Set h ← H ( g w y t S , m z s − β ) Set w ← β − h , t ← ( α − w ) x − 1 D Signature σ = ( s ; w, t, h, z ) D , g z y − ( h + w ) , m z s − ( h + w ) Verify that h = H ( g w y t ) S � �� � � �� � m z s − β g z y − β S Das ist ja Korrekt! Koke, ETD 2005, Estonia, 26.01.2005 Designated Verifier Signatures, Helger Lipmaa 13

Thus spake Markus to both: • If Signy signs: s = m x S , thus ( g, y S , m, s ) is a DDH tuple. ⋆ ( g, y S , m, s ) = ( g, g a , g b , g ab ) for some a, b • Signy proves in NIZK that ( g, y S , m, s ) is a DDH tuple. • If Desmond simulates: s is chosen randomly, thus ( g, y S , m, s ) is not a DDH tuple with very high probability, 1 − 1 q ⋆ c = g w y t D for which Desmond knows the trapdoor x D ⋆ Desmond “simulates” proof by using the trapdoor for any s ∈ Z p • Signy can disavow, w.h.p. 1 − 1 q , by proving that s � = m x S Koke, ETD 2005, Estonia, 26.01.2005 Designated Verifier Signatures, Helger Lipmaa 14

Thus spake Markus to both: • To generate a valid σ ← ( s ; w, t, h, z ) you must know either x S or x D • Thus Desmond knows σ was generated by Signy ⋆ Since Desmond did not generate it himself • Any third party doesn’t know whether σ was generated by Signy or Desmond And Signy was very happy and Desmond coverted in snow. Koke, ETD 2005, Estonia, 26.01.2005 Designated Verifier Signatures, Helger Lipmaa 15

But Desmond met Guilin and Guilin spake to him: Heh−heh! No plobrem! I wirr bleak that! Koke, ETD 2005, Estonia, 26.01.2005 Designated Verifier Signatures, Helger Lipmaa 16

But Desmond met Guilin and Guilin spake to him: Public key y S = g x S Public key y D = g x D Generate random w, t, r � = r ← Z q Set h ← H ( g w y t D , g r , m r ) Set z ← r + ( h + w ) x S Set s ← m x S · m ( r − r ) / ( h + w ) Signature σ = ( s ; w, t, h, z ) Signy can also do this! D , g z y − ( h + w ) , m z ( s ) − ( h + w ) Verify that h = H ( g w y t ) S � �� � � �� � m z − ( h + w ) xS − ( r − r ) = m r g z − ( r − r ) = g r Koke, ETD 2005, Estonia, 26.01.2005 Designated Verifier Signatures, Helger Lipmaa 17

But Desmond met Guilin and Guilin spake to him: • Verification succeeds, thus Desmond accepts it as Signy’s signature • However, since s � = m x S , Signy can later disavow it! And Desmond was not so happy anymore. Koke, ETD 2005, Estonia, 26.01.2005 Designated Verifier Signatures, Helger Lipmaa 18

Quick fix: Signy does Public key y S = g x S Public key y D = g x D Generate s ← m x S Generate random w, t, r ← Z q Set h ← H ( g w y t D , g r , m r , pk S , pk D , s ) Set z ← r + ( h + w ) x S Signature σ = ( s ; w, t, h, z ) D , g z y − ( h + w ) Verify that h = H ( g w y t , m z s − ( h + w ) , PK S , PK D , s ) S Koke, ETD 2005, Estonia, 26.01.2005 Designated Verifier Signatures, Helger Lipmaa 19

Then, Signy met some other people • Steinfeld, Bull, Wang and Pieprzyk said: use a bilinear pairing �· , ·� ⋆ � b a , d c � = � b, d � ac • Signy signs m : s = � m x S , y D � = � m, g � x S x D • Desmond simulates: s = � m x D , y S � = � m, g � x S x D • Here, Signy cannot disavow since s = s And Signy was happy again and kissed Pieprzyk. I like this job ! Koke, ETD 2005, Estonia, 26.01.2005 Designated Verifier Signatures, Helger Lipmaa 20

However, Desmond met Guilin again Guilin spake to Desmond: • Signy can compute y SD := g x S x D and publish it • Then anybody can sign m as s = � m, y SD � = � m, g � x S x D • Thus Signy can delegate her subscription to your library, without revealing her public key And Desmond wanted to cry. Koke, ETD 2005, Estonia, 26.01.2005 Designated Verifier Signatures, Helger Lipmaa 21

And so forth and so forth • Signy and Desmond met many wise men who proposed better and better designated verifier signature schemes. • However, Guilin broke them all! • Sad story, eh? • Signy even thought about never reading a book again! Koke, ETD 2005, Estonia, 26.01.2005 Designated Verifier Signatures, Helger Lipmaa 22

What went wrong? • [JSI1996]: disavowability claimed but does not exist • [SBWP2003] and some other schemes were delegatable ⇒ propose a modification that is unforgeable ⋆ Use as tight reductions as possible ⋆ . . . and as weak trust model as possible ⇒ Eliminate disavowal or make it “secure” • Non-delegatability was never considered before ⇒ Define non-delegatability and propose a non-delegatable scheme Koke, ETD 2005, Estonia, 26.01.2005 Designated Verifier Signatures, Helger Lipmaa 23

Unforgeability Consider the next game: • Choose random key pairs for Signy and Desmond • Give the Forger both public keys, an oracle access to Signy’s signing al- gorithm, Desmond’s simulation algorithm and the hash function • Forger returns a message m and a signature σ Forger is successful if verification on ( m, σ ) succeeds and he never asked a sign/simul query on m that returned σ Scheme is ( τ, q h , q s , ε ) -unforgeable ⇐ ⇒ no ( τ, q h , q s ) -forger has success probability > ε Forger runs in time τ , does q h queries to hash function and q s queries to either signing or simulation algorithm Koke, ETD 2005, Estonia, 26.01.2005 Designated Verifier Signatures, Helger Lipmaa 24