Group Signatures [CH91] preserve the anonymity of the signer. Blind - - PowerPoint PPT Presentation

FORMALIZING GROUP BLIND SIGNATURES AND PRACTICAL CONSTRUCTIONS WITHOUT RANDOM ORACLES

Essam Ghadafi

ghadafi@cs.bris.ac.uk University of Bristol

ACISP 2013

FORMALIZING GROUP BLIND SIGNATURES . . .

OUTLINE

1

BACKGROUND

2

SECURITY MODEL

3

BUILDING BLOCKS

4

OUR CONSTRUCTIONS

5

FULL ANONYMITY

6

SUMMARY & OPEN PROBLEMS

FORMALIZING GROUP BLIND SIGNATURES . . .

OUTLINE

1

BACKGROUND

2

SECURITY MODEL

3

BUILDING BLOCKS

4

OUR CONSTRUCTIONS

5

FULL ANONYMITY

6

SUMMARY & OPEN PROBLEMS

FORMALIZING GROUP BLIND SIGNATURES . . .

OUTLINE

1

BACKGROUND

2

SECURITY MODEL

3

BUILDING BLOCKS

4

OUR CONSTRUCTIONS

5

FULL ANONYMITY

6

SUMMARY & OPEN PROBLEMS

FORMALIZING GROUP BLIND SIGNATURES . . .

OUTLINE

1

BACKGROUND

2

SECURITY MODEL

3

BUILDING BLOCKS

4

OUR CONSTRUCTIONS

5

FULL ANONYMITY

6

SUMMARY & OPEN PROBLEMS

FORMALIZING GROUP BLIND SIGNATURES . . .

OUTLINE

1

BACKGROUND

2

SECURITY MODEL

3

BUILDING BLOCKS

4

OUR CONSTRUCTIONS

5

FULL ANONYMITY

6

SUMMARY & OPEN PROBLEMS

FORMALIZING GROUP BLIND SIGNATURES . . .

OUTLINE

1

BACKGROUND

2

SECURITY MODEL

3

BUILDING BLOCKS

4

OUR CONSTRUCTIONS

5

FULL ANONYMITY

6

SUMMARY & OPEN PROBLEMS

FORMALIZING GROUP BLIND SIGNATURES . . .

GROUP BLIND SIGNATURES Group Signatures [CH91] preserve the anonymity of the signer. Blind Signatures [Cha83] preserve the privacy of the message to be signed. Group Blind Signatures [LZ98] combine properties of the above and thus preserve both the anonymity of the signer + the privacy of the message.

FORMALIZING GROUP BLIND SIGNATURES . . . 1

GROUP BLIND SIGNATURES

User Group Issuer Opener

gpk

• k

ik

FORMALIZING GROUP BLIND SIGNATURES . . . 2

GROUP BLIND SIGNATURES

User Group Issuer Opener

gpk

• k

ik

FORMALIZING GROUP BLIND SIGNATURES . . . 2

GROUP BLIND SIGNATURES

User Group Issuer Opener

gpk

• k

ik

Sig

FORMALIZING GROUP BLIND SIGNATURES . . . 2

GROUP BLIND SIGNATURES

User Group Issuer Opener

gpk

• k

ik

Sig

FORMALIZING GROUP BLIND SIGNATURES . . . 2

HISTORY AND RELATED WORK The primitive which combines the properties of a blind signature [Cha83] and a group signature [CH91] was introduced by Lysyanskaya and Zulfikar [LZ98]. Existing constructions: ◮ Lysyanskaya and Zulfikar, 1998.

Based on Camenisch-Stadler group signatures [CL97].

◮ K. Q. Nguyen, Y. Mu, and V. Varadharajan, 1999.

Uses divertible zero-knowledge proofs [OO90].

FORMALIZING GROUP BLIND SIGNATURES . . . 3

APPLICATIONS OF GROUP BLIND SIGNATURES Group blind signatures provide bi-directional privacy and are thus useful for applications where such a requirement is needed. Example applications: ◮ Distributed e-cash, e.g. [LZ98]: The e-coin reveals neither the identity of its holder nor that of the issuing bank/branch. ◮ Other applications include: multi-authority e-voting and e-auction systems.

FORMALIZING GROUP BLIND SIGNATURES . . . 4

OUR CONTRIBUTION ◮ A formal security model for the primitive. ◮ A generic construction. ◮ The first instantiations without random oracles. ◮ Other useful building blocks and observations.

FORMALIZING GROUP BLIND SIGNATURES . . . 5

SECURITY DEFINITION CHALLENGES The signing protocol is blind, i.e. the message is not known to the signer and the signature is not well defined, so:

1 How to define Full Anonymity, i.e. CCA2 Anonymity?

⇒ How to identify the challenge signature?

2 How to define non-frameability? 3 How to extend blindness to the group setting?

FORMALIZING GROUP BLIND SIGNATURES . . . 6

SYNTAX OF GROUP BLIND SIGNATURES A GROUP BLIND SIGNATURE GKg(1λ): Outputs gpk, ik and ok. UKg: Outputs a pair of personal secret/public keys (ssk[i], spk[i]) for a signer. Join(gpk, i, ssk[i]), Issue(ik, i, spk[i]): If successful, Signeri becomes a member and obtains a group signing key gsk[i]. Obtain(gpk, m), Sign(gsk[i]): If successful, the user obtains a signature Σ; Otherwise, it outputs ⊥. GVf(gpk, m, Σ): Verifies if Σ is valid on the message m. Open(gpk, ok, reg, m, Σ): Returns the identity of the signer plus a proof τ. Judge(gpk, i, spk[i], m, Σ, τ): Verifies the Opener’s decision.

FORMALIZING GROUP BLIND SIGNATURES . . . 7

SECURITY OF GROUP BLIND SIGNATURES ◮ Correctness: If all parties are honest, we have that:

Signatures are accepted by the GVf algorithm. The Opener can identify the signer. The Judge algorithm accepts the Opener’s decision.

FORMALIZING GROUP BLIND SIGNATURES . . . 8

SECURITY OF GROUP BLIND SIGNATURES ◮ Anonymity: Signatures do not reveal who signed them.

Open† Open† SSK SSK CrptS CrptS SndToS SndToS

b*

ModifyReg ModifyReg ModifyReg ModifyReg

... i0, i1

Ch

b←{0,1}

Ch

b←{0,1}

gpk,ik

Adversary wins if: b = b∗. ◮ † Similarly to IND-RCCA [CKN03], the Open oracle returns ⊥ if the signature opens to i0 or i1.

FORMALIZING GROUP BLIND SIGNATURES . . . 9

SECURITY OF GROUP BLIND SIGNATURES ◮ Traceability: The adversary cannot output an untraceable signature.

AddS AddS CrptS CrptS ReadReg ReadReg SSK SSK SndToI SndToI

gpk,ok Σ,m

Adversary wins if all the following holds: Σ verifies on m. Either Σ does not open to a signer in the group or Judge does not accept the Opener’s decision on Σ.

FORMALIZING GROUP BLIND SIGNATURES . . . 10

SECURITY OF GROUP BLIND SIGNATURES ◮ Non-Frameability: The adversary cannot output a signature that traces to an honest member who did not produce it.

gpk,ik,ok

CrptS CrptS ModifyReg ModifyReg SSK SSK

id,Σ1,m1,...,Σn+1,mn+1

SndToS SndToS

...

OSign OSign

Adversary wins if all the following holds: ∀i ∈ {1, . . . , n + 1}, Σi verifies on mi, opens to id and the

• pening is accepted by Judge.

The adversary asked for only n signatures by signer id. If weak unforgeability, the messages are distinct.

FORMALIZING GROUP BLIND SIGNATURES . . . 11

SECURITY OF GROUP BLIND SIGNATURES ◮ Blindness: Group members do not learn the message being signed.

Open† Open† SSK SSK CrptS CrptS SndToS SndToS

b*

ModifyReg ModifyReg ReadReg ReadReg Obtain(gpk,mb) Obtain(gpk,mb)

gpk,ik

Obtain(gpk,m1-b) Obtain(gpk,m1-b)

m0,m1 Σb Σ1-b b←{0,1} (Σ0,Σ1) or (┴,┴)

Adversary wins if: b = b∗. ◮ † If strong unforgeability, the Open oracle returns ⊥ if (m, Σ) = (mb, Σb) or (m, Σ) = (m1−b, Σ1−b). ◮ If weak unforgeability, the Open oracle returns ⊥ if m ∈ {m0, m1}.

FORMALIZING GROUP BLIND SIGNATURES . . . 12

CONSTRUCTION CHALLENGES How to realize the subtle dual privacy requirement and

1 Maintain round optimality 2 Avoid idealized assumptions

?

FORMALIZING GROUP BLIND SIGNATURES . . . 13

(PRIME-ORDER) BILINEAR GROUPS G1, G2, GT are finite cyclic groups of prime order p, where G1 := G1 and G2 := G2. Pairing (e : G1 × G2 − → GT) : The function e must have the following properties: ◮ Bilinearity: ∀H1 ∈ G1 , H2 ∈ G2 x, y ∈ Z, we have e(Hx

1, Hy 2) = e(H1, H2)xy.

◮ Non-degeneracy: The value e(G1, G2) = 1 generates GT. ◮ The function e is efficiently computable. Type-3 [GPS08]: G1 = G2 and no efficiently computable isomorphism between G1 and G2.

FORMALIZING GROUP BLIND SIGNATURES . . . 14

GROTH-SAHAI PROOFS Groth-Sahai proofs [GS08]: G1 × G2

f

→ GT ι1 ↓↑ ρ1 ι2 ↓↑ ρ2 ιT ↓↑ ρT H1 := G2

1

× H2 := G2

2 F

− → HT := G4

T

The system work by first committing to (encrypting) the witness and then producing a proof for the statement. The system can be instantiated in either: ◮ The simulation setting ⇒ perfectly hiding proofs. ◮ The extraction setting ⇒ perfectly sound proofs. The limitations:

1 Can only extract one-way function (i.e. Gw i ) of an exponent

witness w.

2 Cannot simulate and extract at the same time.

FORMALIZING GROUP BLIND SIGNATURES . . . 15

GROTH-SAHAI PROOFS Useful Properties of Groth-Sahai Proofs: ◮ Independence of public terms (Also, independently observed by [Fuc11]):

Example: E :=

n

• j=1

e(Aj, Yj)

m

• i=1

e(Xi, Bi)

m

• i=1

n

• j=1

e(Xi, Yj)γi,j = tT,

a proof Π for E is independent of tT ⇒ we can transform Π into a NIZK/NIWI proof for a related equation without knowledge of the original witness. ◮ Re-randomizability of proofs [BCCKLS09]:

Re-randomize the GS commitments and update the proofs ⇒ the new proof is unlinkable to the old one.

FORMALIZING GROUP BLIND SIGNATURES . . . 16

A NEW STRUCTURE-PRESERVING SIGNATURE SCHEME NCL is based on the CL signature scheme [CL04]: THE NCL SIGNATURE SCHEME KeyGen: Choose x, y ← Zp, set sk := (x, y) and pk := (X := Gx

2, Y := Gy 2).

Sign: To sign (M1, M2) ∈ G1 × G2, return ⊥ if e(M1, G2) = e(G1, M2); otherwise, compute σ :=

• A := Ga

1, B := Ay, C := May 1 , D := (A · C)x

∈ G4

1.

Verify: Check that A = 1G1 and e(B, G2) = e(A, Y) e(C, G2) = e(B, M2) e(D, G2) = e(A · C, X)

FORMALIZING GROUP BLIND SIGNATURES . . . 17

A NEW STRUCTURE-PRESERVING SIGNATURE SCHEME NCL is secure under the (interactive) DH-LRSW assumption: DEFINITION (DUAL-HIDDEN LRSW (DH-LRSW) ASSUMPTION) Given (Gx

2, Gy 2) for x, y ← Zp and an oracle that on input a pair

(M1, M2) ∈ G1 × G2 outputs: ◮ ⊥ if e(M1, G2) = e(G1, M2). ◮ A DH-LRSW tuple

• Ga

1, Gay 1 , May 1 , Ax · Maxy 1

• for a ← Zp
• therwise.

, it is infeasible to compute a DH-LRSW tuple for (M′

1, M′ 2) that was

never queried to the oracle.

FORMALIZING GROUP BLIND SIGNATURES . . . 18

THE BLIND SIGNATURE SCHEME [FUC09] As an example, we use the blind signature scheme by [Fuc09] based

• n the following automorphic signature scheme:

THE AUTOMORPHIC SIGNATURE SCHEME [FUC09] Setup: Given (e, G1, G2, GT, G1, G2, p), choose F, K, T ← G1. KeyGen: Choose s ← Zp and set pk := (S1, S2) = (Gs

1, Gs 2).

Sign: To sign (M1, M2) ∈ G1 × G2 where e(M1, G2) = e(G1, M2), choose r, c ← Zp and compute: H := (K · Tr · M1)

1 x+c , R1 := Gr

1, R2 := Gr 2, C1 := Fc, C2 := Gc 2.

The signature is σ := (H, R1, C1, R2, C2) ∈ G3

1 × G2 2.

Verify: Check that e(H, S2 · C2) = e(K · M1, G2)e(T, R2) e(C1, G2) = e(F, C2) e(R1, G2) = e(G1, R2)

FORMALIZING GROUP BLIND SIGNATURES . . . 19

THE BLIND SIGNATURE SCHEME [FUC09] The automorphic signature scheme is secure under: DEFINITION (AWFCDH ASSUMPTION) Given (G1, Ga

1, G2) ∈ G× 1 2 × G× 2 for a ← Zp, it is infeasible to output

a tuple (Gb

1, Gab 1 , Gb 2, Gab 2 ) ∈ G× 1 2 × G× 2 2 for an arbitrary b ∈ Zp.

DEFINITION (q-ADHSDH ASSUMPTION) Given (G1, F, K, Gx

1, G2, Gx 2) ∈ G× 1 4 × G× 2 2 for x ← Zp, and q − 1

tuples (Ai := (K · Gri

1 )

1 x+ci , C1,i := Fci, C2,i := Gci

2 , R1,i := Gri 1 , R2,i :=

Gri

2 )q−1 i=1 , where ci, ri ← Zp, it is infeasible to output a new tuple (A∗,

C∗

1, C∗ 2, R∗ 1, R∗ 2).

FORMALIZING GROUP BLIND SIGNATURES . . . 20

FISCHLIN’S GENERIC CONSTRUCTION FOR BLIND SIGNATURES To get a round-optimal blind signature, Fischlin’s framework [Fis06]:

1 The user sends a commitment C to the message M to the signer. 2 The signer responds with a signature σ on the commitment C. 3 The final blind signature Σ is a NIZK PoK Π of C and σ s.t. 1 σ is a valid signature on C w.r.t. pk. 2 C is a commitment to M.

FORMALIZING GROUP BLIND SIGNATURES . . . 21

SIGNER-ANONYMOUS BLIND SIGNATURES In Fischlin’s framework If:

1 The PoK used is re-randomizable and independent of the public

terms, e.g. Groth-Sahai proofs.

2 The signature scheme has the property that all the terms

involving the message in the verification equations are independent of the signature components relying on the signing key, e.g. [Fuc09]. , we obtain a signer-anonymous blind signature.

FORMALIZING GROUP BLIND SIGNATURES . . . 22

SIGNER-ANONYMOUS BLIND SIGNATURES Modify the Fischlin’s framework as follows:

1 The user sends a commitment C to the message M. 2 The signer signs C and responds with a PoK Π′ of σ and pk s.t. 1 σ is a valid signature on C w.r.t. pk. 3 The user proceeds as follows: 1 Re-randomizes Π′ into a fresh proof Π. 2 Adds to Π a proof that C is a commitment to M.

The final signer-anonymous blind signature Σ is Π.

FORMALIZING GROUP BLIND SIGNATURES . . . 23

SIGNER-ANONYMOUS BLIND SIGNATURES Security: ◮ Unforgeability: As in Fischlin’s framework. ◮ Blindness: As in Fischlin’s framework + Re-randomizability of the PoK. ◮ Anonymity: The hiding (i.e. NIWI/NIZK) properties of the PoK.

FORMALIZING GROUP BLIND SIGNATURES . . . 24

FROM A SIGNER-ANONYMOUS BS TO A GBS To extend the signer-anonymous BS to a GBS, we need:

1 A signature scheme CERT to certify members’ public keys

when they join.

⇒ Give skCERT to the Issuer as ik.

2 Give the PoK extraction key to the Opener as ok. 3 The signer additionally needs to prove that he has a certificate on

his public key w.r.t. pkCERT, i.e. that he is a member of the group.

FORMALIZING GROUP BLIND SIGNATURES . . . 25

INSTANTIATIONS ◮ Instantiation I

The Join Protocol: Uses the NCL signature scheme. The Signing Protocol: Based on the BS by [Fuc09] (i.e. The automorphic signature scheme + GS proofs). Assumptions: DH-LRSW, SXDH, AWFCDH and q-ADHSDH.

◮ The Pros : More efficient (signature size is G38

1 + G36 2 ).

◮ The Cons : Involves some interactive intractability assumptions (i.e. the DH-LRSW assumption).

FORMALIZING GROUP BLIND SIGNATURES . . . 26

INSTANTIATIONS ◮ Instantiation II

The Join Protocol: Uses the automorphic signature scheme [Fuc 09]. The Signing Protocol: Based on the BS by [Fuc09] (i.e. the automorphic signature scheme [Fuc09] + GS proofs). Assumptions: SXDH, AWFCDH and q-ADHSDH.

◮ The Pros : Only relies on falsifiable intractability assumptions. ◮ The Cons : Less efficient (signature size is G42

1 + G38 2 ).

FORMALIZING GROUP BLIND SIGNATURES . . . 27

ACHIEVING FULL ANONYMITY Groth-Sahai proofs are not simulation-sound ⇒ when simulating, we can no longer answer Open queries. Q: How to achieve full anonymity?

A: One way is to combine Groth-Sahai proofs with an IND-CCA2

encryption scheme. ◮ ⇒ The signer additionally encrypts the witness and proves that it was done correctly. When simulating, decrypt the ciphertext to recover the witness. The encryption scheme needs to be re-randomizable, e.g. maybe we could use an IND-RCCA encryption scheme.

FORMALIZING GROUP BLIND SIGNATURES . . . 28

ACHIEVING FULL ANONYMITY Groth-Sahai proofs are not simulation-sound ⇒ when simulating, we can no longer answer Open queries. Q: How to achieve full anonymity?

A: One way is to combine Groth-Sahai proofs with an IND-CCA2

encryption scheme. ◮ ⇒ The signer additionally encrypts the witness and proves that it was done correctly. When simulating, decrypt the ciphertext to recover the witness. The encryption scheme needs to be re-randomizable, e.g. maybe we could use an IND-RCCA encryption scheme.

FORMALIZING GROUP BLIND SIGNATURES . . . 28

SUMMARY ◮ A formal security model for the primitive. ◮ Round-optimal constructions. ◮ The first constructions without idealized assumptions.

FORMALIZING GROUP BLIND SIGNATURES . . . 29

OPEN PROBLEMS ◮ Efficient fully-anonymous instantiations. ◮ More efficient constructions without idealized assumptions.

FORMALIZING GROUP BLIND SIGNATURES . . . 30

THE END

Thank you for your attention! Questions?

FORMALIZING GROUP BLIND SIGNATURES . . . 31