Efficient Redactable Signature and Application to Anonymous - - PowerPoint PPT Presentation

Efficient Redactable Signature and Application to Anonymous Credentials

Olivier Sanders

Orange Labs

PKC 2020

Context

PKC 2020 – p 2

Digital Signature

Digital signature can be used to authenticate digital data Name Birthdate Address ... Sign σ sk not even one bit can be modified

PKC 2020 – p 3

Digital Signature

Digital signature can be used to authenticate digital data Name Birthdate Address ... Verif σ 0/1 pk verification requires knowledge of all signed data

PKC 2020 – p 3

Limits of Digital Signature

Use Case: One just needs to verify that age ≥ 18

Efficiency: ✗ (n messages to send) Privacy: ✗ (reveals all signed data to the verifier)

How to efficiently and privately check that k out of n messages are certified or satisfy some relations? Standard Alternatives:

Alternative 1: 1 signature per message

− Efficiency: ∼ (n signatures to store) − Privacy: ➚ PKC 2020 – p 4

Limits of Digital Signature

Alternative 2: Merkle’s tree

− Efficiency: ➚ (log(n) elements to send) − Privacy: ∼ (prevents zero-knowledge proofs)

Alternative 3: proof of knowledge of the n messages

− Efficiency: ➘ − Privacy:

⇒ no satisfying solution

PKC 2020 – p 5

Accumulators

Solution from [FHS19]1 Name Birthdate Address ... Acc C Sign σ sk messages are accumulated and then signed

1Fuchsbauer, Hanser and Slamanig, Structure-preserving signatures on equivalence

classes and constant-size anonymous credentials, Journal of Cryptology, 2019

PKC 2020 – p 6

Accumulators

Solution from [FHS19]1 Name Birthdate Address ... Open W C σ a witness W that “birthdate” has been accumulated can be computed

1Fuchsbauer, Hanser and Slamanig, Structure-preserving signatures on equivalence

classes and constant-size anonymous credentials, Journal of Cryptology, 2019

PKC 2020 – p 6

Accumulators

Solution from [FHS19]1 Name Birthdate Address ... Open W C Verif σ pk 0/1 AccV 0/1 Given C, W , σ, one can check that “birthdate” has been signed

1Fuchsbauer, Hanser and Slamanig, Structure-preserving signatures on equivalence

classes and constant-size anonymous credentials, Journal of Cryptology, 2019

PKC 2020 – p 6

Accumulators

Assessment of FHS solution (compared to basic signature):

Efficiency:

− O(1) certificate size − O(1) communication complexity2 − O(k) verification complexity

Privacy: ∼

− the k messages must be disclosed, no ability to prove that they

satisfy some relations (e.g. age ≥ 18)

⇒ not fully satisfying

2excluding the k disclosed messages

PKC 2020 – p 7

Unlinkable Redactable Signature

Solution from [CDHK15]3 Name Birthdate Address ... Sign σ sk 1 signature σ on all messages

3Camenisch, Dubovitskaya, Haralambiev and Kohlweiss, Composable and modular

anonymous credentials: Definitions and practical constructions, Asiacrypt, 2015

PKC 2020 – p 8

Unlinkable Redactable Signature

Solution from [CDHK15]3 Name Birthdate Address ... Deriv σ σ′ pk a signature σ′ can be derived on a subset of messages

3Camenisch, Dubovitskaya, Haralambiev and Kohlweiss, Composable and modular

anonymous credentials: Definitions and practical constructions, Asiacrypt, 2015

PKC 2020 – p 8

Unlinkable Redactable Signature

Solution from [CDHK15]3 Name Birthdate Address ... Deriv σ′ pk Verif 0/1 no need to know the redacted messages to check σ′

3Camenisch, Dubovitskaya, Haralambiev and Kohlweiss, Composable and modular

anonymous credentials: Definitions and practical constructions, Asiacrypt, 2015

PKC 2020 – p 8

Unlinkable Redactable Signature

Assessment of CDHK solution (compared to basic signature):

Efficiency: ➚

− O(1) certificate size − O(1) communication complexity4 − very large constant − O(k) verification complexity

Privacy: ∼

− the k messages must be disclosed, no ability to prove that they

satisfy some relations (e.g. age ≥ 18)

− derived signatures can be unlinkable

⇒ not fully satisfying

4excluding the k disclosed messages

PKC 2020 – p 9

Our Contribution

PKC 2020 – p 10

Unlinkable Redactable Signature

We want an unlinkable redactable signature scheme with:

Efficiency:

− short, constant-size (derived) signatures − verification of k out of n messages in O(k)

Privacy:

− unlinkability: to link signatures derived from the same σ is hard − relations about non-redacted messages can be proved in ZK PKC 2020 – p 11

Pointcheval-Sanders Signature

Our starting point: PS signature5

use asymmetric bilinear group e : G1 × G2 → GT secret (x, y1, . . . , yn) and public X = g x, Yi = g yi in G1 a signature on (m1, . . . , mn) is

σ1

$

← G2 and σ2 ← σ

x+n

i=1 yimi

1

verification:

e(g, σ2)

?

= e(X

n

• i=1

Y mi

i

, σ1) designed to support proofs of knowledge of mi

5Pointcheval and Sanders, Short Randomizable Signature, CT-RSA 16

PKC 2020 – p 12

Pointcheval-Sanders Signature

Use Case: V wants to check that a subset {mi}i∈I of messages is

signed and/or satisfies some relations ⇒ messages {mi}i∈I are redacted, with I = {1, . . . , n} \ I

Standard solution:

− prove knowledge of redacted messages − reveal and/or prove relations about {mi}i∈I

⇒ inefficient

PKC 2020 – p 13

A First Attempt

Verification of PS signatures:

e(g, σ2)

?

= e(X

n

• i=1

Y mi

i

, σ1)

PKC 2020 – p 14

A First Attempt

Verification of PS signatures:

e(g, σ2)

?

= e(X

n

• i=1

Y mi

i

, σ1)

?

= e(X

• i∈I

Y mi

i

• i∈I

Y mi

i

, σ1)

PKC 2020 – p 14

A First Attempt

Verification of PS signatures:

e(g, σ2)

?

= e(X

n

• i=1

Y mi

i

, σ1)

?

= e(X

• i∈I

Y mi

i

• i∈I

Y mi

i

, σ1)

?

= e(Xσ1

• i∈I

Y mi

i

, σ1) σ1 =

• i∈I

Y mi

i

PKC 2020 – p 14

A First Attempt

Verification of PS signatures:

e(g, σ2)

?

= e(X

n

• i=1

Y mi

i

, σ1)

?

= e(X

• i∈I

Y mi

i

• i∈I

Y mi

i

, σ1)

?

= e(Xσ1

• i∈I

Y mi

i

, σ1) σ1 =

• i∈I

Y mi

i

?

= e(Xσ1Y

mi0 i0

• i∈I\i0

Y mi

i

, σ1)

(σ1,

σ1, σ2) is not a secure redactable signature on {mi}i∈I:

PKC 2020 – p 14

A First Attempt

Verification of PS signatures:

e(g, σ2)

?

= e(X

n

• i=1

Y mi

i

, σ1)

?

= e(X

• i∈I

Y mi

i

• i∈I

Y mi

i

, σ1)

?

= e(Xσ1

• i∈I

Y mi

i

, σ1) σ1 =

• i∈I

Y mi

i

?

= e(Xσ1Y

mi0 i0

• i∈I\i0

Y mi

i

, σ1)

?

= e(Xσ′

1Y t i0

• i∈I\i0

Y mi

i

, σ1) σ′

1 = σ1Y mi0−t i0

(σ1,

σ1, σ2) is not a secure redactable signature on {mi}i∈I: (σ′

1,

σ1, σ2) is valid on t and {mi}i∈I\i0

PKC 2020 – p 14

A Linkable Solution

Problem: elements Y ui

i , for i ∈ I, can be aggregated in σ1

solution 1: prove that σ1 =

i∈I Y mi i

− inefficient (back to square 1) − overkill: prove more that what we need PKC 2020 – p 15

A Linkable Solution

Problem: elements Y ui

i , for i ∈ I, can be aggregated in σ1

• ur solution: if σ1 is honestly formed

e(σ1,

• i∈I
• g yi) = e(g,

g)f (y1,...,yn) f only contains monomials yi · yj, for i = j

PKC 2020 – p 15

A Linkable Solution

Problem: elements Y ui

i , for i ∈ I, can be aggregated in σ1

• ur solution: if σ1 is forged

e(σ1,

• i∈I
• g yi) = e(g,

g)f (y1,...,yn) f contains monomials y 2

i , i ∈ I

we add {g yiyj}i=j in pk

− sufficient to compute σ2 = g f (y1,...,yn) if σ1 honestly formed − not sufficient to compute σ2 = g f (y1,...,yn) if σ1 forged − “validity” of σ1 can be checked: e(σ1,

i∈I

g yi )

?

= e(σ2, g)

PKC 2020 – p 15

Achieving Unlinkability

Our redactable signature (σ1, σ2,

σ1, σ2) is:

− constant size (4 group elements) − O(|I|) complexity for verification − ✗ not unlinkable

(

σ1, σ2) can be re-randomized but not (σ1, σ2)

We use a different approach:

− σ2 only proves that σ1 does not contain illicit elements {Y

ui0 i0 }i0∈I

− we can aggregate anything else in σ1 PKC 2020 – p 16

Achieving Unlinkability

Step 1: aggregate t

$

← Zp under dummy public key 1

−

σ′′

2 ←

σ2 · σt

1

− re-randomize (

σ′

1,

σ′

2) ← (

σr

1, (

σ′′

2 )r), with r $

← Zp ( σ′

1,

σ′

2) is valid on (m1, . . . , mn, t)

PKC 2020 – p 17

Achieving Unlinkability

Step 1: aggregate t

$

← Zp under dummy public key 1

−

σ′′

2 ←

σ2 · σt

1

− re-randomize (

σ′

1,

σ′

2) ← (

σr

1, (

σ′′

2 )r), with r $

← Zp ( σ′

1,

σ′

2) is valid on (m1, . . . , mn, t)

Step 2: redact {mi}i∈I and t

− σ′

1 = g t · i∈I Y mi i

− σ′

2 ← ( i∈I Yi)t i∈I,j∈I(g yi yj )mj

PKC 2020 – p 17

Achieving Unlinkability

Step 1: aggregate t

$

← Zp under dummy public key 1

−

σ′′

2 ←

σ2 · σt

1

− re-randomize (

σ′

1,

σ′

2) ← (

σr

1, (

σ′′

2 )r), with r $

← Zp ( σ′

1,

σ′

2) is valid on (m1, . . . , mn, t)

Step 2: redact {mi}i∈I and t

− σ′

1 = g t · i∈I Y mi i

− σ′

2 ← ( i∈I Yi)t i∈I,j∈I(g yi yj )mj

Step 3: output σ = (σ′

1, σ′ 2,

σ′

1,

σ′

2)

t perfectly hides redacted messages:

unlinkability holds unconditionnaly

PKC 2020 – p 17

Anonymous Credentials

converting our scheme into anonymous credentials is straightforward a credential is a signature on user’s secret key usk and {mi}n

i=1

to show a credential on {mi}i∈I

− run Derive on usk and {mi}i∈I to get σ − prove knowledge of usk

almost as efficient as our URS scheme security follows from the one of our URS scheme unlinkability holds under the DDH assumption

PKC 2020 – p 18

Conclusion

We have proposed a versatile and efficient URS scheme:

signatures can be derived on any subset {mi}i∈I of signed messages derived signature contains 4 elements and can be verified with

O(|I|) complexity

derived signature are unlinkable possible to disclose {mi}i∈I or prove that they satisfy some relations derivation public key contains O(n2) elements

PKC 2020 – p 19

thank you

PKC 2020 – p 20