Group Signatures [CH91] allow a member to anonymously and - - PowerPoint PPT Presentation

EFFICIENT DISTRIBUTED TAG-BASED ENCRYPTION AND ITS APPLICATION TO GROUP SIGNATURES WITH EFFICIENT DISTRIBUTED TRACEABILITY

Essam Ghadafi (Presented by Enrique Larraia)

ghadafi@cs.bris.ac.uk University of Bristol

Latincrypt 2014

EFFICIENT DISTRIBUTED TAG-BASED ENCRYPTION AND . . .

OUTLINE

1

BACKGROUND

2

SECURITY MODEL

3

A DISTRIBUTED TAG-BASED ENCRYPTION SCHEME

4

GENERIC CONSTRUCTION OF GS WITH DISTRIBUTED TRACEABILITY

5

INSTANTIATIONS IN THE STANDARD MODEL

6

SUMMARY

EFFICIENT DISTRIBUTED TAG-BASED ENCRYPTION AND . . .

GROUP SIGNATURES Group Signatures [CH91] allow a member to anonymously and accountably sign on behalf of a group.

Group GM TM

tsk msk

Sig Sig Sig Sig Signer ID

FIGURE: A Group Signature

EFFICIENT DISTRIBUTED TAG-BASED ENCRYPTION AND . . . 1

HISTORY AND RELATED WORK Group Signatures introduced by Chaum and van Heyst [CH91]. Extensive existing work include:

• Security Definitions (Static Groups) by Bellare et al. [BMW03].
• Security Definitions (Dynamic Groups) by Bellare et al.

[BSZ05].

• Opening Soundness by Sakai et al. [SSE+12].
• Many constructions, e.g. [CS97,CM98,BBS04,KY05,

BW06,BW07,DP06,G07,BB08, . . .].

• Either informal or constructions meeting weaker security notions

for distributed traceability, e.g. [FY04, BCL+08].

EFFICIENT DISTRIBUTED TAG-BASED ENCRYPTION AND . . . 2

SECURITY OF GROUP SIGNATURES Besides correctness, the security requirements [BSZ05] are: Anonymity: Signatures does not reveal the identity of the member. Traceability: All signatures trace to a member in the group. Non-Frameability: No one can accuse an honest member of producing a signature she did not produce.

• Protects against a corrupt tracing manager, i.e. T M must prove

his decision.

EFFICIENT DISTRIBUTED TAG-BASED ENCRYPTION AND . . . 3

THE PROBLEM Issue: The Tracing Manager has strong power which it can abuse! Solution: Distribute the tracing capability among n authorities as considered by other works, e.g. [FY04,ZLM+08]. Challenge: Realizing distributed traceability efficiently + strong security:

• Full (i.e. CCA ) anonymity.
• Concurrent Join protocol, i.e. 1 round.
• Non-frameability against dishonest tracing managers.
• Tracing soundness.

EFFICIENT DISTRIBUTED TAG-BASED ENCRYPTION AND . . . 4

OUR CONTRIBUTION

1 A security model for dynamic group signatures with distributed

traceability.

2 A generic construction for dynamic group signatures with

distributed traceability.

3 Efficient instantiations in the standard model. 4 Efficient instantiations of distributed/threshold tag-based

encryption scheme in the standard model.

EFFICIENT DISTRIBUTED TAG-BASED ENCRYPTION AND . . . 5

GROUP SIGNATURES WITH DISTRIBUTED TRACEABILITY

Group GM TM 1

tsk1 msk

Sig Sig Sig Sig Signer ID

TM n

tskn

... FIGURE: A Group Signature with Distributed Traceability

EFFICIENT DISTRIBUTED TAG-BASED ENCRYPTION AND . . . 6

SECURITY OF GS WITH DISTRIBUTED TRACEABILITY Anonymity: Signatures do not reveal who signed them.

SndU SndU WReg WReg TraceShare TraceShare Trace Trace

b*

ModifyReg ModifyReg RevealU RevealU

Σ uid0, uid1, m

Ch

b←{0,1}

Ch

b←{0,1}

gpk, msk, {tsk_i}i BTL

∈

BTL

AddU AddU CrptU CrptU

• Adversary wins if: b = b∗.

◮ Captures full key exposure. ◮ Adversary can learn κ − 1 tracing shares of Σ.

EFFICIENT DISTRIBUTED TAG-BASED ENCRYPTION AND . . . 7

SECURITY OF GS WITH DISTRIBUTED TRACEABILITY Traceability: All signatures trace to a member in the group.

CrptU CrptU SndM SndM Sign Sign RReg RReg RevealU RevealU

Σ*,m* gpk, {tsk_i}

AddU AddU

Adversary wins if:

• Σ∗ verifies on m∗ and either:

Σ∗ is untraceable, i.e. an invalid share or TraceVerify does not accept. Σ does not open to a signer in the group.

EFFICIENT DISTRIBUTED TAG-BASED ENCRYPTION AND . . . 8

SECURITY OF GS WITH DISTRIBUTED TRACEABILITY Non-Frameability: The adversary cannot output a signature that traces to an honest member who did not produce it.

CrptU CrptU WReg WReg RevealU RevealU

m*, Σ*, uid*, θ*

Trace

SndU SndU

gpk, msk, {tsk_i}

Sign Sign

Adversary wins if all the following holds:

• Σ∗ verifies on m∗ and was not obtained from the Sign oracle.
• Θ∗

Trace is accepted by TraceVerify.

• uid∗ is honest.

EFFICIENT DISTRIBUTED TAG-BASED ENCRYPTION AND . . . 9

SECURITY OF GS WITH DISTRIBUTED TRACEABILITY Tracing Soundness: Even if all entities are corrupt, they cannot produce a signature that traces to different members.

WReg WReg

m*,Σ*,uid*1,θ*

Tace1,uid*2,θ* Tace2

CrptU CrptU

gpk, msk, {tsk_i}

Adversary wins if all the following holds:

• Σ∗ verifies on m∗.
• Θ∗

Trace1 and Θ∗ Trace2 are accepted by TraceVerify.

• uid∗

1 = uid∗ 2 =⊥.

EFFICIENT DISTRIBUTED TAG-BASED ENCRYPTION AND . . . 10

DISTRIBUTED/THRESHOLD TAG-BASED ENCRYPTION ◮ Selective-Tag weakly IND-CCA DTBE:

n decryption servers each with a secret/verification key pair (ski, svki). n-out-of-n: A ciphertext can be decrypted only if all n servers compute their shares correctly. (One can have k-out-of-n instead).

Desirable Properties:

• Public Verifiability: Well-formedness of ciphertexts is publicly

verifiable.

• Non-Interactiveness: Decryption requires no interaction among

the servers.

• Robustness: Invalid decryption shares can be identified by the

combiner.

EFFICIENT DISTRIBUTED TAG-BASED ENCRYPTION AND . . . 11

DISTRIBUTED/THRESHOLD TAG-BASED ENCRYPTION DTBE Setup(1λ, n): Outputs pk, svk = (svk1, . . . , svkn) and

• sk = (sk1, . . . , skn).

Enc(pk, t, m): Outputs a ciphertext Cdtbe. IsValid(pk, t, Cdtbe): Outputs 1 if the ciphertext is valid under the tag t. ShareDec(pk, ski, t, Cdtbe): Outputs the i-th server decryption share νi or ⊥. ShareVerify(pk, svki, t, Cdtbe, νi): Outputs 1 if the decryption share νi is valid or 0 otherwise. Combine(pk, {svki}n

i=1, {νi}n i=1, Cdtbe, t): Outputs either m or

⊥.

EFFICIENT DISTRIBUTED TAG-BASED ENCRYPTION AND . . . 12

DISTRIBUTED/THRESHOLD TAG-BASED ENCRYPTION SECURITY OF DTBE ST-wIND-CCA: Similar to IND-CCA for PKE but the adversary:

1 Must choose the target tag t∗ before it gets pk. 2 Cannot ask for decryption queries on ciphertexts under t∗.

Decryption Consistency: A ciphertext cannot be opened in two different ways.

EFFICIENT DISTRIBUTED TAG-BASED ENCRYPTION AND . . . 13

(PRIME-ORDER) BILINEAR GROUPS G, ˜ G, T are finite cyclic groups of prime order p. G := G and ˜ G := ˜ G. Pairing (e : G × ˜ G − → T) : The function e must have the following properties: Bilinearity: ∀H ∈ G , ∀˜ H ∈ ˜ G, ∀x, y ∈ Z, we have e(Hx, ˜ Hy) = e(H, ˜ H)xy. Non-degeneracy: e(G, ˜ G) = 1. e is efficiently computable. Type-III [GPS08]: G = ˜ G and no efficiently computable isomorphism between G and ˜ G.

EFFICIENT DISTRIBUTED TAG-BASED ENCRYPTION AND . . . 14

OUR DISTRIBUTED/THRESHOLD TAG-BASED ENCRYPTION Based on Kiltz scheme [Kil06] and its threshold variant [AT09] but

• urs is more efficient as it is in asymmetric groups.

DEFINITION (DLING) Given a bilinear group P and (H, V, U, R, S, T) = (Gh, Gv, Gu, Grh, Gsv, Gut) ∈ G6 is t = r + s ? DEFINITION (EXTERNAL DLIN (XDLING ) [ABE et al. 2012]) Same as DLING but include the tuple (H, V, U, R, S) in ˜ G in the input as well. Idea of Construction: Convert [AT09] into Type-III setting and base it on XDLING instead of DLING.

EFFICIENT DISTRIBUTED TAG-BASED ENCRYPTION AND . . . 15

OUR DISTRIBUTED/THRESHOLD TAG-BASED ENCRYPTION Setup(1λ, n):

• h, w, z, {ui}n

i=1, {vi}n i=1 ← Zp.

• u := n

i=1 ui, v := n i=1 vi, (H, ˜

H) := (Gh, ˜ Gh), (U, ˜ U) := (Hu, ˜ Hu), (V, ˜ V) := (U

1 v , ˜

U

1 v ),

(W, ˜ W) := (Hw, ˜ Hw), (Z, ˜ Z) := (Vz, ˜ Vz).

• Server Secret Key is ski := (ui, vi).
• Server Verification Key is svki := ( ˜

Ui := ˜ Hui, ˜ Vi := ˜ Vvi).

• Public Key is pk := (P, H, ˜

H, U, ˜ U, V, ˜ V, W, ˜ W, Z, ˜ Z).

Enc(pk, t, M):

• r1, r2 ← Zp.
• C1 := Hr1, C2 := Vr2, C3 := MUr1+r2, C4 := (UtW)r1,

C5 := (UtZ)r2.

• Cdtbe :=
• C1, C2, C3, C4, C5
• ∈ G5.
• To check validity of Cdtbe, check

e(C1, ˜ Ut ˜ W) = e(C4, ˜ H) and e(C2, ˜ Ut˜ Z) = e(C5, ˜ V)

EFFICIENT DISTRIBUTED TAG-BASED ENCRYPTION AND . . . 16

OUR DISTRIBUTED/THRESHOLD TAG-BASED ENCRYPTION ShareVerify(pk, svki, t, Cdtbe, νi):

• Parse svki as (˜

Ui, ˜ Vi), νi as (Ci,1, Ci,2) and Cdtbe as (C1, C2, C3, C4, C5).

• Return 1 iif Cdtbe is valid and e(Ci,1, ˜

H) = e(C1, ˜ Ui) and e(Ci,2, ˜ V) = e(C2, ˜ Vi).

ShareDec(pk, ski, t, Cdtbe)

• Return ⊥ if Cdtbe is invalid.
• Parse Cdtbe as (C1, C2, C3, C4, C5) and ski as (ui, vi).
• Return νi := (Ci,1 := Cui

1 , Ci,2 := Cvi 2 ).

Combine(pk, {svki}n

i=1, {νi}n i=1, Cdtbe, t):

• Return ⊥ if Cdtbe or any of the shares νi are invalid.
• M :=

C3 n

i=1 Ci,1Ci,2 .

EFFICIENT DISTRIBUTED TAG-BASED ENCRYPTION AND . . . 17

GENERIC CONSTRUCTION OF GS WITH DISTRIBUTED TRACEABILITY ◮ Tools used:

1 A NIZK proof of knowledge system NIZK. 2 Two digital signature schemes DS1 and DS2 (one can use the

same signature scheme).

3 A digital signature scheme WDS unforgeable against a weak

chosen-message attack.

4 A strongly unforgeable one-time signature scheme OTS. 5 A selective-tag weakly IND-CCA distributed tag-based

encryption scheme DTBE.

6 A collision-resistant hash function H : {0, 1}∗ → TDTBE.

EFFICIENT DISTRIBUTED TAG-BASED ENCRYPTION AND . . . 18

GENERIC CONSTRUCTION OF GS WITH DISTRIBUTED TRACEABILITY ◮ Group Key Generation

• Generate (pkDTBE, {svki}κ

i=1, {ski}κ i=1) for DTBE.

• Generate (pkGM, skGM) for DS1.
• Generate crs for NIZK.
• Choose a collision-resistant hash function H : {0, 1}∗ → TDTBE.

Set tski := ski, gpk := (1λ, crs, pkGM, pkDTBE, {svki}κ

i=1, H)

and msk := skGM. ◮ User Key Generation

• Generate a key pair (upk[uid], usk[uid]) for DS2.

EFFICIENT DISTRIBUTED TAG-BASED ENCRYPTION AND . . . 19

GENERIC CONSTRUCTION OF GS WITH DISTRIBUTED TRACEABILITY ◮ Joining the group

(gpk, uid, usk[uid]) (msk, uid, upk[uid])

User Group Manager

• Generate (pkuid, skuid) for WDS
• siguid ← DS2.Sign(usk[uid], pkuid)
• Send siguid, pkuid
• Abort if siguid is invalid
• certuid ← DS1.Sign(msk, pkuid)
• Send certuid
• Abort if certuid is invalid
• gsk[uid] := (skuid, pkuid, certuid)
• reg[uid] := (pkuid, siguid)

EFFICIENT DISTRIBUTED TAG-BASED ENCRYPTION AND . . . 20

GENERIC CONSTRUCTION OF GS WITH DISTRIBUTED TRACEABILITY ◮ Signing

1 Choose a fresh key pair (otsvk, otssk) for OTS. 2 Encrypt pkuid under pkDTBE and tag H(otsvk) (possibly using

some randomness τ) to get Cdtbe.

3 σ ← WDS.Sign(skuid, H(otsvk)). 4 Produce a NIZK proof π of pkuid, certuid, σ, and τ that:

Cdtbe is an encryption of pkuid under tag H(otsvk) (possibly using randomness τ). σ is a valid WDS signature on H(otsvk) w.r.t. pkuid. certuid is a valid DS1 signature from GM on pkuid.

5 σots ← OTS.Sign(otssk, (m, Cdtbe, π, otsvk)).

The signature is Σ := (σots, π, Cdtbe, otsvk).

EFFICIENT DISTRIBUTED TAG-BASED ENCRYPTION AND . . . 21

GENERIC CONSTRUCTION OF GS WITH DISTRIBUTED TRACEABILITY ◮ Tracing

Tracing Manager T Mi uses his tski to get the decryption share

• f Cdtbe.

Given all shares, anyone can recover the signer identity.

◮ TraceVerify

Verify all the tracing shares. Check that siguid on pkuid verifies w.r.t. the accused signer’s personal public key upk[uid].

EFFICIENT DISTRIBUTED TAG-BASED ENCRYPTION AND . . . 22

SECURITY OF THE GENERIC CONSTRUCTION Anonymity:

Zero-Knowledge of NIZK. ST-wIND-CCA of DTBE. Unforgeability of OTS. Collision-resistance of H.

Non-Frameability:

Soundness of NIZK. Unforgeability of DS2, WDS and OTS. Collision-resistance of H.

Traceability:

Soundness of NIZK. Unforgeability of DS1.

Tracing Soundness:

Decryption-Consistency of DTBE.

EFFICIENT DISTRIBUTED TAG-BASED ENCRYPTION AND . . . 23

BUILDING BLOCKS Groth-Sahai proofs [GS08]: G × ˜ G

f

→ T ι1 ↓↑ ρ1 ι2 ↓↑ ρ2 ιT ↓↑ ρT H := G2 × ˜ H := ˜ G2

F

− → S := T4 The system works by first committing to (encrypting) the witness and then producing a proof for the statement. The system can be instantiated in either: The simulation setting ⇒ perfectly hiding proofs. The extraction setting ⇒ perfectly sound proofs. We use the SXDH instantiation which is the most efficient [GSW10].

EFFICIENT DISTRIBUTED TAG-BASED ENCRYPTION AND . . . 24

BUILDING BLOCKS FULL BONEH-BOYEN (FBB) SIGNATURE SCHEME KeyGen: Choose x, y ← Zp, set sk := (x, y) and pk := (X := Gx, Y := Gy). Sign: Choose r ← Zp s.t. x + ry + m = 0, ˜ σ := ˜ G

1 x+ry+m .

Verify: Return 1 iff e(XYrGm, ˜ σ) = e(G, ˜ G). WEAK BONEH-BOYEN (WBB) SIGNATURE SCHEME KeyGen: Choose x ← Zp, set sk := x and pk := X := Gx. Sign: If x + m = 0, ˜ σ := ˜ G

1 x+m .

Verify: Return 1 iff e(XGm, ˜ σ) = e(G, ˜ G). Both secure under the q-SDH assumption.

EFFICIENT DISTRIBUTED TAG-BASED ENCRYPTION AND . . . 25

BUILDING BLOCKS ABE et al. [AGO+14] SIGNATURE SCHEME Setup: Choose a bilinear group P. F ← G. param := (P, F). KeyGen: Choose x ← Zp. Set ˜ X := ˜ Gx, sk := x and pk := ˜ X. Sign: Choose r ← Zp, ˜ Ω1 := ˜ Gr, Ω2 := M

x r F 1 r , Ω3 := Ω x r

2G

1 r ,

the randomization token is Ω4 := G

1 r .

Verify: Return 1 if e(Ω2, ˜ Ω1) = e(M, ˜ X)e(F, ˜ G) e(Ω3, ˜ Ω1) = e(Ω2, ˜ X)e(G, ˜ G) Fully re-randomizable and secure under an interactive assumption.

EFFICIENT DISTRIBUTED TAG-BASED ENCRYPTION AND . . . 26

BUILDING BLOCKS ABE et al. [AGH+11] SIGNATURE SCHEME Setup: Choose a bilinear group P. param := P. KeyGen: Choose w, x, y1, y2 ← Zp, ˜ W := ˜ Gw, ˜ X := ˜ Gx, ˜ Y1 := ˜ Gy1, ˜ Y2 := ˜

• Gy2. sk := (w, x, y1, y2), pk := ( ˜

W, ˜ X, ˜ Y1, ˜ Y2). Sign: Choose Ω1 ← G, a ← Zp. Ω2 := Ga, ˜ Ω3 := ˜ G

1 a ,

Ω4 := Gx−awΩ−y1

1

M−y2. Verify: Return 1 if e(Ω2, ˜ Ω3) = e(G, ˜ G) and e(G, ˜ X) = e(Ω2, ˜ W)e(Ω4, ˜ G)e(Ω1, ˜ Y1)e(M, ˜ Y2) DEFINITION (q-AGHO [AGH+11]) Given a tuple (G, ˜ G, ˜ W, ˜ X, ˜ Y) ∈ G × ˜ G4, and q random tuples (Ai, Bi, Ri, ˜ Di) ∈ G3 × ˜ G, satisfying e(Ai, ˜ Di) = e(G, ˜ G) e(G, ˜ X) = e(Ai, ˜ W)e(Bi, ˜ G)e(Ri, ˜ Y), hard to output a new tuple (A∗, B∗, R∗, ˜ D∗) satisfying the relation.

EFFICIENT DISTRIBUTED TAG-BASED ENCRYPTION AND . . . 27

INSTANTIATIONS ◮ Instantiation I

Groth-Sahai for NIZK. Abe et al. [AGO+14] signature scheme for DS1 and DS2. WBB signature for WDS. FBB signature for OTS. Our efficient DTBE for DTBE. Assumptions: SXDH, XDLING, and q-SDH.

• The Pros : More efficient (signature size is G24 + ˜

G21 + Z5

p).

• The Cons : Involves an interactive intractability assumption

(underlying the Abe et al. [AGO+14]).

EFFICIENT DISTRIBUTED TAG-BASED ENCRYPTION AND . . . 28

INSTANTIATIONS ◮ Instantiation II

Groth-Sahai for NIZK. Abe et al. [AGH+11] signature scheme for DS1 and DS2. WBB signature for WDS. FBB signature for OTS. Our efficient DTBE for DTBE. Assumptions: SXDH, XDLING, q-AGHO, and q-SDH.

• The Pros : Only relies on falsifiable intractability assumptions.
• The Cons : Less efficient than I (signature size is

G28 + ˜ G24 + Z3

p).

EFFICIENT DISTRIBUTED TAG-BASED ENCRYPTION AND . . . 29

SUMMARY A formal security model for group signatures with distributed traceability. A generic construction of group signatures with distributed traceability. Concrete constructions without idealized assumptions. An efficient distributed/threshold tag-based encryption scheme in Type-III setting.

EFFICIENT DISTRIBUTED TAG-BASED ENCRYPTION AND . . . 30

THE END

Thank you for your attention! Questions? Email: ghadafi@cs.bris.ac.uk

EFFICIENT DISTRIBUTED TAG-BASED ENCRYPTION AND . . . 31