G , G , T are finite cyclic groups of prime order p , where G = G - - PowerPoint PPT Presentation

g g t are finite cyclic groups of prime order p where g g
SMART_READER_LITE
LIVE PREVIEW

G , G , T are finite cyclic groups of prime order p , where G = G - - PowerPoint PPT Presentation

Dec 22, 2022 233 likes •530 views

S HORT S TRUCTURE -P RESERVING S IGNATURES Essam Ghadafi e.ghadafi@ucl.ac.uk Department of Computer Science, University College London CT-RSA 2016 S HORT S TRUCTURE -P RESERVING S IGNATURES O UTLINE B ACKGROUND 1 O UR S CHEME 2 E FFICIENCY C

slide-1
SLIDE 1

SHORT STRUCTURE-PRESERVING SIGNATURES

Essam Ghadafi

e.ghadafi@ucl.ac.uk Department of Computer Science, University College London

CT-RSA 2016

SHORT STRUCTURE-PRESERVING SIGNATURES

slide-2
SLIDE 2

OUTLINE

1

BACKGROUND

2

OUR SCHEME

3

EFFICIENCY COMPARISON

4

SOME APPLICATIONS

5

SUMMARY & OPEN PROBLEMS

SHORT STRUCTURE-PRESERVING SIGNATURES

slide-3
SLIDE 3
slide-4
SLIDE 4

(PRIME-ORDER) BILINEAR GROUPS G, ˜ G, T are finite cyclic groups of prime order p, where G = G and ˜ G = ˜ G Pairing (e : G × ˜ G − → T) : The function e must have the following properties: Bilinearity: ∀P ∈ G , ∀˜ Q ∈ ˜ G, ∀x, y ∈ Z, we have e(Px, ˜ Qy) = e(P, ˜ Q)xy Non-Degeneracy: The value e(G, ˜ G) = 1 generates T The function e is efficiently computable Type-III [GPS08]: G = ˜ G and no efficiently computable homomorphism between G and ˜ G in either direction

SHORT STRUCTURE-PRESERVING SIGNATURES 2 / 19

slide-5
SLIDE 5

STRUCTURE-PRESERVING SIGNATURES Some History: The term “Structure-Preserving” was coined by Abe et al. 2010 Earlier constructions: Groth 2006 and Green and Hohenberger 2008 Many constructions in the 3 different main types of bilinear groups Optimal Type-III constructions are the most efficient

SHORT STRUCTURE-PRESERVING SIGNATURES 3 / 19

slide-6
SLIDE 6

STRUCTURE-PRESERVING SIGNATURES What are they? DEFINITION (A STRUCTURE-PRESERVING SIGNATURE) A signature scheme (defined over bilinear groups) where: m, vk and σ are elements of G and/or ˜ G Verifying signatures only involves deciding group membership and evaluating pairing-product equations (PPE):

  • i
  • j

e(Ai, ˜ Bj)ci,j = Z, where Ai ∈ G, ˜ Bj ∈ ˜ G and Z ∈ T are group elements appearing in P, m, vk, σ, whereas ci,j ∈ Zp are constants

SHORT STRUCTURE-PRESERVING SIGNATURES 4 / 19

slide-7
SLIDE 7

STRUCTURE-PRESERVING SIGNATURES Why Structure-Preserving Signatures? Compose well with other pairing-based schemes

  • Easy to encrypt

Compose well with ElGamal/BBS linear encryption

  • Easy to combine with NIZK proofs

Compose well with Groth-Sahai proofs

SHORT STRUCTURE-PRESERVING SIGNATURES 5 / 19

slide-8
SLIDE 8

APPLICATIONS OF STRUCTURE-PRESERVING SIGNATURES Applications of Structure-Preserving Signatures: Blind signatures Group signatures Malleable signatures Tightly secure encryption schemes Anonymous credentials Oblivious transfer Network coding . . .

SHORT STRUCTURE-PRESERVING SIGNATURES 6 / 19

slide-9
SLIDE 9

EXISTING LOWER BOUNDS Lower Bounds (for unilateral messages) in Type-III Bilinear Groups (Abe et al. 2011): Signatures contain at least 3 group elements Signatures cannot be unilateral (must contain elements from both G and ˜ G)

  • Note: Size of elements of ˜

G are at least twice as big as those of G

At least 2 PPE verification equations

SHORT STRUCTURE-PRESERVING SIGNATURES 7 / 19

slide-10
SLIDE 10

OUR CONTRIBUTION A new signature scheme in Type-III bilinear groups with shorter signatures than existing ones:

  • Signatures consist of 3 elements from G (i.e. unilateral)
  • 2 PPE verification equations (5 pairings in total)
  • Message space is the set of Diffie-Hellman pairs (Abe et
  • al. 2010):

The set ˆ G = {(M, ˜ N)|(M, ˜ N) ∈ G × ˜ G, e(M, ˜ G) = e(G, ˜ N)}

More efficient instantiations of some existing cryptographic protocols (e.g. DAA)

SHORT STRUCTURE-PRESERVING SIGNATURES 8 / 19

slide-11
SLIDE 11

OUR SCHEME The Underlying Idea: Can be viewed as an extension of the non-structure-preserving scheme of Pointcheval and Sanders (CT-RSA 2016) Can be viewed as a more efficient variant of Ghadafi (ACISP 2013) Camenisch-Lysyanskaya based structure-preserving scheme

SHORT STRUCTURE-PRESERVING SIGNATURES 9 / 19

slide-12
SLIDE 12

OUR SCHEME The Scheme: KeyGen: Choose x, y ← Zp, set sk := (x, y) and pk := (˜ X := ˜ Gx, ˜ Y := ˜ Gy) ∈ ˜ G2 Sign: To sign (M, ˜ N) ∈ ˆ G,

  • Choose a ← Z×

p , σ := (A := Ga, B := Ma, C := Ax · By) ∈ G3

Verify: Check that A = 1G and (M, ˜ N) ∈ ˆ G and e(A, ˜ N) = e(B, ˜ G) e(C, ˜ G) = e(A, ˜ X)e(B, ˜ Y) Randomize: Choose r ← Z×

p , return

σ′ := (A′ := Ar, B′ := Br, C′ := Cr)

SHORT STRUCTURE-PRESERVING SIGNATURES 10 / 19

slide-13
SLIDE 13

PROPERTIES OF THE SCHEME Some Properties of the Scheme: The scheme is secure in the generic group model

  • ⇒ alternatively can be based on an interactive assumption

Unilateral signatures (Perfectly) Fully re-randomizable Only M part of the message is needed for signing

SHORT STRUCTURE-PRESERVING SIGNATURES 11 / 19

slide-14
SLIDE 14

EFFICIENCY COMPARISON

Scheme Size R? Assumptions Verification σ vk P m PPE Pairing [GH08] a G4 × ˜ G ˜ G2

  • G

Y q-HLRSW 4 8 [Fuc09] G3 × ˜ G2 G × ˜ G G3 ˆ G N q-ADHSDH+AWFCDH 3 9 [AFG+10] I G5 × ˜ G2 G10 × ˜ G4

  • G

P q-SFP 2 12 [AFG+10] II G2 × ˜ G5 G10 × ˜ G4

  • ˜

G P q-SFP 2 12 [AGH+11] I G2 × ˜ G G × ˜ G3

  • G × ˜

G N GGM 2 7 [AGH+11] II G2 × ˜ G G × ˜ G

  • ˜

G Y GGM 2 5 [Gha13] G4 ˜ G2

  • ˆ

G Y DH-LRSW 3 7 [CM14] I G × ˜ G2 G2

  • ˜

G N GGM 2 5 [CM14] II G × ˜ G2 G2

  • ˜

G Y GGM 2 6 [CM14] III G2 × ˜ G ˜ G2

  • G

Y GGM 2 6 [AGO+14] I G3 × ˜ G ˜ G G G Y GGM 2 6 [AGO+14] II G2 × ˜ G ˜ G G G N GGM 2 6 [BFF15] G × ˜ G2 G2

  • ˜

G Y GGM 2 5 [Gro15] I G × ˜ G2 G ˜ G ˜ G Y GGM 2 6 [Gro15] II G × ˜ G2 G ˜ G ˜ G N GGM 2 7 Ours G3 ˜ G2

  • ˆ

G Y GGM 2 5

aThis scheme is only secure against a random message attack. SHORT STRUCTURE-PRESERVING SIGNATURES 12 / 19

slide-15
SLIDE 15

EFFICIENCY COMPARISON Comparison with schemes with the same message space

Scheme Size R? Assumptions Verification σ vk P PPE Pairing [Fuc09] G3 × ˜ G2 G × ˜ G G3 N q-ADHSDH+AWFCDH 3 9 or (7 & 2 ECAdd) [Gha13] G4 ˜ G2

  • Y

DH-LRSW 3 7 or (6 & 1 ECAdd) Ours G3 ˜ G2

  • Y

GGM 2 5

* Cost does not include checking well-formedness of the message

SHORT STRUCTURE-PRESERVING SIGNATURES 13 / 19

slide-16
SLIDE 16

GENERIC CONSTRUCTION OF DAA Bernhard et al. 2013 gave a generic construction of DAA which requires the following tools: Randomizable Weakly Blind Signatures (RwBS)

  • Used by the Issuer to issue certificates as credentials when users

join the group

Linkable Indistinguishable Tags (LIT)

  • Needed to provide the linkability of signatures when the same

basename is signed by the same user

Signatures of Knowledge (SoK)

  • Used by users to prove they have a credential and that the

signature on the basename verifies w.r.t. thier certified secret key

SHORT STRUCTURE-PRESERVING SIGNATURES 14 / 19

slide-17
SLIDE 17

BLIND SIGNATURES

  • SHORT STRUCTURE-PRESERVING SIGNATURES

15 / 19

slide-18
SLIDE 18

BLIND SIGNATURES

  • Sig
  • SHORT STRUCTURE-PRESERVING SIGNATURES

15 / 19

slide-19
SLIDE 19

BLIND SIGNATURES

  • Sig

Sig

  • Security Requirements:

Blindness: An adversary (i.e. a signer) who chooses the messages, does not learn which message being signed and cannot link a signature to its signing session Unforgeability: An adversary (i.e. a user) cannot forge new signatures

SHORT STRUCTURE-PRESERVING SIGNATURES 15 / 19

slide-20
SLIDE 20

BLIND SIGNATURES

  • Sig

Sig

  • Security Requirements:

Blindness: An adversary (i.e. a signer) who chooses the messages, does not learn which message being signed and cannot link a signature to its signing session Unforgeability: An adversary (i.e. a user) cannot forge new signatures

SHORT STRUCTURE-PRESERVING SIGNATURES 15 / 19

slide-21
SLIDE 21

RANDOMIZABLE WEAKLY BLIND SIGNATURES (RWBS) Similar to blind signatures but: Randomizability: Given a signature σ, anyone can produce a new signature σ′ on the same message Weak Blindness: Same as blindness but the adversary never sees the messages ⇒ The adversary cannot tell if he was given a signature on a different message or a re-randomization of a signature on the same message

SHORT STRUCTURE-PRESERVING SIGNATURES 16 / 19

slide-22
SLIDE 22

EFFICIENT RWBS WITHOUT RANDOM ORACLES The Idea: Combine the new scheme with SXDH-based Groth-Sahai proofs Only M is needed for signing ⇒ To request a signature on (M, ˜ N), send M and a NIZKPoK π of ˜ N LUser :

  • M, ˜

N

  • : e(G, ˜

N) = e(M, ˜ G′) ∧ ˜ G′ · ˜ G = 1˜

G

  • The signer produces a signature σ and a NIZK proof Ω (without

knowing ˜ N) for the validity of σ LSigner :

  • (A, B, M), ˜

A

  • : e(G, ˜

A) = e(A, ˜ G′) ∧ e(M, ˜ A) = e(B, ˜ G′) ∧ ˜ G′ · ˜ G = 1˜

G

  • Fully re-randomizable ⇒ User verifies Ω and the final signature

is a re-randomization of σ

SHORT STRUCTURE-PRESERVING SIGNATURES 17 / 19

slide-23
SLIDE 23

EFFICIENT RWBS WITHOUT RANDOM ORACLES The Idea: Combine the new scheme with SXDH-based Groth-Sahai proofs Only M is needed for signing ⇒ To request a signature on (M, ˜ N), send M and a NIZKPoK π of ˜ N LUser :

  • M, ˜

N

  • : e(G, ˜

N) = e(M, ˜ G′) ∧ ˜ G′ · ˜ G = 1˜

G

  • The signer produces a signature σ and a NIZK proof Ω (without

knowing ˜ N) for the validity of σ LSigner :

  • (A, B, M), ˜

A

  • : e(G, ˜

A) = e(A, ˜ G′) ∧ e(M, ˜ A) = e(B, ˜ G′) ∧ ˜ G′ · ˜ G = 1˜

G

  • Fully re-randomizable ⇒ User verifies Ω and the final signature

is a re-randomization of σ

SHORT STRUCTURE-PRESERVING SIGNATURES 17 / 19

slide-24
SLIDE 24

EFFICIENT RWBS WITHOUT RANDOM ORACLES The Idea: Combine the new scheme with SXDH-based Groth-Sahai proofs Only M is needed for signing ⇒ To request a signature on (M, ˜ N), send M and a NIZKPoK π of ˜ N LUser :

  • M, ˜

N

  • : e(G, ˜

N) = e(M, ˜ G′) ∧ ˜ G′ · ˜ G = 1˜

G

  • The signer produces a signature σ and a NIZK proof Ω (without

knowing ˜ N) for the validity of σ LSigner :

  • (A, B, M), ˜

A

  • : e(G, ˜

A) = e(A, ˜ G′) ∧ e(M, ˜ A) = e(B, ˜ G′) ∧ ˜ G′ · ˜ G = 1˜

G

  • Fully re-randomizable ⇒ User verifies Ω and the final signature

is a re-randomization of σ

SHORT STRUCTURE-PRESERVING SIGNATURES 17 / 19

slide-25
SLIDE 25

EFFICIENT RWBS WITHOUT RANDOM ORACLES The Idea: Combine the new scheme with SXDH-based Groth-Sahai proofs Only M is needed for signing ⇒ To request a signature on (M, ˜ N), send M and a NIZKPoK π of ˜ N LUser :

  • M, ˜

N

  • : e(G, ˜

N) = e(M, ˜ G′) ∧ ˜ G′ · ˜ G = 1˜

G

  • The signer produces a signature σ and a NIZK proof Ω (without

knowing ˜ N) for the validity of σ LSigner :

  • (A, B, M), ˜

A

  • : e(G, ˜

A) = e(A, ˜ G′) ∧ e(M, ˜ A) = e(B, ˜ G′) ∧ ˜ G′ · ˜ G = 1˜

G

  • Fully re-randomizable ⇒ User verifies Ω and the final signature

is a re-randomization of σ

SHORT STRUCTURE-PRESERVING SIGNATURES 17 / 19

slide-26
SLIDE 26

EFFICIENT RWBS WITHOUT RANDOM ORACLES Security of the RwBS Scheme: Unforgeability of the SPS Scheme + SXDH Efficiency of the RwBS Scheme: Scheme Signature Verification PPE Pairing Bernhard et al. 2013 I G4 3 7 or (6 & 1 ECAdd) Ours G3 2 5

SHORT STRUCTURE-PRESERVING SIGNATURES 18 / 19

slide-27
SLIDE 27

SUMMARY & OPEN PROBLEMS Summary:

  • A new unilateral SPS scheme with short signatures
  • More efficient instantiations of building blocks for DAA without

random oracles

Open Problems:

  • More efficient constructions of unilateral structure-preserving

signatures

  • Constructions based on standard assumptions (e.g. DDH, DLIN,

etc.)

  • (Constant-size?) constructions for a vector of Diffie-Hellman

pairs

SHORT STRUCTURE-PRESERVING SIGNATURES 19 / 19

slide-28
SLIDE 28

THE END

Thank you for your attention! Questions?

SHORT STRUCTURE-PRESERVING SIGNATURES