group signatures ch91 preserve the anonymity of the
play

Group Signatures [CH91] preserve the anonymity of the signer. Blind - PowerPoint PPT Presentation

Oct 16, 2022 •134 likes •566 views

F ORMALIZING G ROUP B LIND S IGNATURES AND P RACTICAL C ONSTRUCTIONS WITHOUT R ANDOM O RACLES Essam Ghadafi ghadafi@cs.bris.ac.uk University of Bristol ACISP 2013 F ORMALIZING G ROUP B LIND S IGNATURES . . . O UTLINE B ACKGROUND 1 S ECURITY M

  1. F ORMALIZING G ROUP B LIND S IGNATURES AND P RACTICAL C ONSTRUCTIONS WITHOUT R ANDOM O RACLES Essam Ghadafi ghadafi@cs.bris.ac.uk University of Bristol ACISP 2013 F ORMALIZING G ROUP B LIND S IGNATURES . . .

  2. O UTLINE B ACKGROUND 1 S ECURITY M ODEL 2 B UILDING B LOCKS 3 O UR C ONSTRUCTIONS 4 F ULL A NONYMITY 5 S UMMARY & O PEN P ROBLEMS 6 F ORMALIZING G ROUP B LIND S IGNATURES . . .

  3. O UTLINE B ACKGROUND 1 S ECURITY M ODEL 2 B UILDING B LOCKS 3 O UR C ONSTRUCTIONS 4 F ULL A NONYMITY 5 S UMMARY & O PEN P ROBLEMS 6 F ORMALIZING G ROUP B LIND S IGNATURES . . .

  4. O UTLINE B ACKGROUND 1 S ECURITY M ODEL 2 B UILDING B LOCKS 3 O UR C ONSTRUCTIONS 4 F ULL A NONYMITY 5 S UMMARY & O PEN P ROBLEMS 6 F ORMALIZING G ROUP B LIND S IGNATURES . . .

  5. O UTLINE B ACKGROUND 1 S ECURITY M ODEL 2 B UILDING B LOCKS 3 O UR C ONSTRUCTIONS 4 F ULL A NONYMITY 5 S UMMARY & O PEN P ROBLEMS 6 F ORMALIZING G ROUP B LIND S IGNATURES . . .

  6. O UTLINE B ACKGROUND 1 S ECURITY M ODEL 2 B UILDING B LOCKS 3 O UR C ONSTRUCTIONS 4 F ULL A NONYMITY 5 S UMMARY & O PEN P ROBLEMS 6 F ORMALIZING G ROUP B LIND S IGNATURES . . .

  7. O UTLINE B ACKGROUND 1 S ECURITY M ODEL 2 B UILDING B LOCKS 3 O UR C ONSTRUCTIONS 4 F ULL A NONYMITY 5 S UMMARY & O PEN P ROBLEMS 6 F ORMALIZING G ROUP B LIND S IGNATURES . . .

  8. G ROUP B LIND S IGNATURES Group Signatures [CH91] preserve the anonymity of the signer. Blind Signatures [Cha83] preserve the privacy of the message to be signed. Group Blind Signatures [LZ98] combine properties of the above and thus preserve both the anonymity of the signer + the privacy of the message. F ORMALIZING G ROUP B LIND S IGNATURES . . . 1

  9. G ROUP B LIND S IGNATURES ok ik Opener Issuer gpk User Group F ORMALIZING G ROUP B LIND S IGNATURES . . . 2

  10. G ROUP B LIND S IGNATURES ok ik Opener Issuer gpk User Group F ORMALIZING G ROUP B LIND S IGNATURES . . . 2

  11. G ROUP B LIND S IGNATURES ok ik Opener Issuer gpk Sig User Group F ORMALIZING G ROUP B LIND S IGNATURES . . . 2

  12. G ROUP B LIND S IGNATURES ok ik Opener Issuer gpk Sig User Group F ORMALIZING G ROUP B LIND S IGNATURES . . . 2

  13. H ISTORY AND R ELATED WORK The primitive which combines the properties of a blind signature [Cha83] and a group signature [CH91] was introduced by Lysyanskaya and Zulfikar [LZ98]. Existing constructions: ◮ Lysyanskaya and Zulfikar, 1998. Based on Camenisch-Stadler group signatures [CL97]. ◮ K. Q. Nguyen, Y. Mu, and V. Varadharajan, 1999. Uses divertible zero-knowledge proofs [OO90]. F ORMALIZING G ROUP B LIND S IGNATURES . . . 3

  14. A PPLICATIONS OF G ROUP B LIND S IGNATURES Group blind signatures provide bi-directional privacy and are thus useful for applications where such a requirement is needed. Example applications: ◮ Distributed e-cash, e.g. [LZ98]: The e-coin reveals neither the identity of its holder nor that of the issuing bank/branch. ◮ Other applications include: multi-authority e-voting and e-auction systems. F ORMALIZING G ROUP B LIND S IGNATURES . . . 4

  15. O UR C ONTRIBUTION ◮ A formal security model for the primitive. ◮ A generic construction. ◮ The first instantiations without random oracles. ◮ Other useful building blocks and observations. F ORMALIZING G ROUP B LIND S IGNATURES . . . 5

  16. S ECURITY D EFINITION C HALLENGES The signing protocol is blind, i.e. the message is not known to the signer and the signature is not well defined, so: 1 How to define Full Anonymity, i.e. CCA2 Anonymity? ⇒ How to identify the challenge signature? 2 How to define non-frameability? 3 How to extend blindness to the group setting? F ORMALIZING G ROUP B LIND S IGNATURES . . . 6

  17. S YNTAX OF G ROUP B LIND S IGNATURES A G ROUP B LIND S IGNATURE GKg ( 1 λ ) : Outputs gpk , ik and ok . UKg : Outputs a pair of personal secret/public keys ( ssk [ i ] , spk [ i ]) for a signer. � Join ( gpk , i , ssk [ i ]) , Issue ( ik , i , spk [ i ]) � : If successful, Signer i becomes a member and obtains a group signing key gsk [ i ] . � Obtain ( gpk , m ) , Sign ( gsk [ i ]) � : If successful, the user obtains a signature Σ ; Otherwise, it outputs ⊥ . GVf ( gpk , m , Σ) : Verifies if Σ is valid on the message m . Open ( gpk , ok , reg , m , Σ) : Returns the identity of the signer plus a proof τ . Judge ( gpk , i , spk [ i ] , m , Σ , τ ) : Verifies the Opener’s decision. F ORMALIZING G ROUP B LIND S IGNATURES . . . 7

  18. S ECURITY OF G ROUP B LIND S IGNATURES ◮ Correctness: If all parties are honest, we have that: Signatures are accepted by the GVf algorithm. The Opener can identify the signer. The Judge algorithm accepts the Opener’s decision. F ORMALIZING G ROUP B LIND S IGNATURES . . . 8

  19. S ECURITY OF G ROUP B LIND S IGNATURES ◮ Anonymity: Signatures do not reveal who signed them. gpk,ik Open† Open† i 0 , i 1 SSK SSK Ch Ch ... ModifyReg ModifyReg ModifyReg ModifyReg b←{0,1} b←{0,1} CrptS CrptS SndToS SndToS b * Adversary wins if: b = b ∗ . ◮ † Similarly to IND-RCCA [CKN03], the Open oracle returns ⊥ if the signature opens to i 0 or i 1 . F ORMALIZING G ROUP B LIND S IGNATURES . . . 9

  20. S ECURITY OF G ROUP B LIND S IGNATURES ◮ Traceability: The adversary cannot output an untraceable signature. gpk,ok AddS AddS CrptS CrptS SndToI SndToI ReadReg ReadReg SSK Σ,m SSK Adversary wins if all the following holds: Σ verifies on m . Either Σ does not open to a signer in the group or Judge does not accept the Opener’s decision on Σ . F ORMALIZING G ROUP B LIND S IGNATURES . . . 10

  21. S ECURITY OF G ROUP B LIND S IGNATURES ◮ Non-Frameability: The adversary cannot output a signature that traces to an honest member who did not produce it. gpk,ik,ok CrptS CrptS SndToS ... SndToS OSign OSign ModifyReg ModifyReg SSK id,Σ 1 ,m 1 ,...,Σ n+1 ,m n+1 SSK Adversary wins if all the following holds: ∀ i ∈ { 1 , . . . , n + 1}, Σ i verifies on m i , opens to id and the opening is accepted by Judge . The adversary asked for only n signatures by signer id. If weak unforgeability, the messages are distinct. F ORMALIZING G ROUP B LIND S IGNATURES . . . 11

  22. S ECURITY OF G ROUP B LIND S IGNATURES ◮ Blindness: Group members do not learn the message being signed. gpk,ik m 0 ,m 1 Open† Open† b←{0,1} Σ b SSK SSK Obtain(gpk,m b ) Obtain(gpk,m b ) ModifyReg ReadReg Σ 1-b ModifyReg ReadReg Obtain(gpk,m 1-b ) CrptS Obtain(gpk,m 1-b ) CrptS (Σ 0 ,Σ 1 ) or (┴,┴) SndToS SndToS b * Adversary wins if: b = b ∗ . ◮ † If strong unforgeability, the Open oracle returns ⊥ if ( m , Σ) = ( m b , Σ b ) or ( m , Σ) = ( m 1 − b , Σ 1 − b ) . ◮ If weak unforgeability, the Open oracle returns ⊥ if m ∈ { m 0 , m 1 } . F ORMALIZING G ROUP B LIND S IGNATURES . . . 12

  23. C ONSTRUCTION C HALLENGES How to realize the subtle dual privacy requirement and 1 Maintain round optimality 2 Avoid idealized assumptions ? F ORMALIZING G ROUP B LIND S IGNATURES . . . 13

  24. (P RIME -O RDER ) B ILINEAR G ROUPS G 1 , G 2 , G T are finite cyclic groups of prime order p , where G 1 := � G 1 � and G 2 := � G 2 � . Pairing ( e : G 1 × G 2 − → G T ) : The function e must have the following properties: ◮ Bilinearity: ∀ H 1 ∈ G 1 , H 2 ∈ G 2 x , y ∈ Z , we have e ( H x 1 , H y 2 ) = e ( H 1 , H 2 ) xy . ◮ Non-degeneracy: The value e ( G 1 , G 2 ) � = 1 generates G T . ◮ The function e is efficiently computable. Type-3 [GPS08]: G 1 � = G 2 and no efficiently computable isomorphism between G 1 and G 2 . F ORMALIZING G ROUP B LIND S IGNATURES . . . 14

  25. G ROTH -S AHAI PROOFS Groth-Sahai proofs [GS08]: f × → G 1 G 2 G T ι 1 ↓↑ ρ 1 ι 2 ↓↑ ρ 2 ι T ↓↑ ρ T F H 1 := G 2 H 2 := G 2 H T := G 4 × − → 1 2 T The system work by first committing to (encrypting) the witness and then producing a proof for the statement. The system can be instantiated in either: ◮ The simulation setting ⇒ perfectly hiding proofs. ◮ The extraction setting ⇒ perfectly sound proofs. The limitations: 1 Can only extract one-way function (i.e. G w i ) of an exponent witness w . 2 Cannot simulate and extract at the same time. F ORMALIZING G ROUP B LIND S IGNATURES . . . 15

  26. G ROTH -S AHAI PROOFS Useful Properties of Groth-Sahai Proofs: ◮ Independence of public terms (Also, independently observed by [Fuc11]): Example: n m m n e ( X i , Y j ) γ i , j = t T , � � � � E := e ( A j , Y j ) e ( X i , B i ) j = 1 i = 1 i = 1 j = 1 a proof Π for E is independent of t T ⇒ we can transform Π into a NIZK/NIWI proof for a related equation without knowledge of the original witness. ◮ Re-randomizability of proofs [BCCKLS09]: Re-randomize the GS commitments and update the proofs ⇒ the new proof is unlinkable to the old one. F ORMALIZING G ROUP B LIND S IGNATURES . . . 16

  27. A NEW STRUCTURE - PRESERVING SIGNATURE SCHEME NCL is based on the CL signature scheme [CL04]: T HE NCL S IGNATURE S CHEME KeyGen: Choose x , y ← Z p , set sk := ( x , y ) and 2 , Y := G y pk := ( X := G x 2 ) . Sign: To sign ( M 1 , M 2 ) ∈ G 1 × G 2 , return ⊥ if e ( M 1 , G 2 ) � = e ( G 1 , M 2 ) ; otherwise, compute 1 , B := A y , C := M ay ∈ G 4 � A := G a 1 , D := ( A · C ) x � σ := 1 . Verify: Check that A � = 1 G 1 and e ( B , G 2 ) = e ( A , Y ) e ( C , G 2 ) = e ( B , M 2 ) e ( D , G 2 ) = e ( A · C , X ) F ORMALIZING G ROUP B LIND S IGNATURES . . . 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Group Signatures [CH91] allow a member to anonymously and accountably sign on behalf of a group.

Group Signatures [CH91] allow a member to anonymously and accountably sign on behalf of a group.

E FFICIENT D ISTRIBUTED T AG -B ASED E NCRYPTION AND ITS A PPLICATION TO G ROUP S IGNATURES WITH E FFICIENT D ISTRIBUTED T RACEABILITY Essam Ghadafi (Presented by Enrique Larraia) ghadafi@cs.bris.ac.uk University of Bristol Latincrypt 2014 E

348 views • 33 slides
Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties Signatures Signatures with various functionality/properties Constructions come in different flavors (well sample each flavor): Signatures

1.55k views • 131 slides
Bitcoin and Anonymity Anonymity Basics How to de-anonymize Bitcoin Mixing

Bitcoin and Anonymity Anonymity Basics How to de-anonymize Bitcoin Mixing

Cryptocurrency Technologies Bitcoin and Anonymity Bitcoin and Anonymity Anonymity Basics How to de-anonymize Bitcoin Mixing Decentralized Mixing Zerocoin and Zerocash Tor and the Silk Road Bitcoin and Anonymity

524 views • 39 slides
Measures of Anonymity/Privacy: k-Anonymity, L-Diversity,

Measures of Anonymity/Privacy: k-Anonymity, L-Diversity,

Measures of Anonymity/Privacy: k-Anonymity, L-Diversity, t-Closeness CompSci 590.03 Instructor: Ashwin Machanavajjhala Lecture 4 : 590.03 Fall 12 1

647 views • 61 slides
but quite a lot is. Coordination among users can help with anonymity. Debajyoti Das 1 Sebastian

but quite a lot is. Coordination among users can help with anonymity. Debajyoti Das 1 Sebastian

Not all is lost for anonymity but quite a lot is. Coordination among users can help with anonymity. Debajyoti Das 1 Sebastian Meiser 2 Esfandiar Mohammadi 3 Aniket Kate 1 1 Purdue University 2 Visa Research 3 ETH Zurich 1 Sender Anonymity

551 views • 44 slides
Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And Putting It All Together Lecture 12 Digital Signatures Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s,

1.72k views • 142 slides
Online Anonymity Andrew Lewman andrew@torproject.org June 8, 2010 What is anonymity? Anonymity

Online Anonymity Andrew Lewman andrew@torproject.org June 8, 2010 What is anonymity? Anonymity

Online Anonymity Andrew Lewman andrew@torproject.org June 8, 2010 What is anonymity? Anonymity isnt cryptography Cryptography protects the contents in transit You still know who is talking to whom, how often, and how much data is

764 views • 54 slides
To Preserve or Not to Preserve Invalid Solutions in Search-Based Software Engineering: A Case

To Preserve or Not to Preserve Invalid Solutions in Search-Based Software Engineering: A Case

To Preserve or Not to Preserve Invalid Solutions in Search-Based Software Engineering: A Case Study in Cloud Cost Optimization Jianmei Guo Alibaba Group 2018.11.17 @CSBSE [Guo and Shi, ICSE18] 1 Search-based software engineering (SBSE) 2

231 views • 20 slides
Anonymity in Bitcoin Tumbler/Mixer Oct 9, 2019 Anonymity and Pseudonymity anonymous =

Anonymity in Bitcoin Tumbler/Mixer Oct 9, 2019 Anonymity and Pseudonymity anonymous =

Anonymity in Bitcoin Tumbler/Mixer Oct 9, 2019 Anonymity and Pseudonymity anonymous = Nameless, unidentifiable pseudonymous = Fake name, still traceable Tracing Bitcoin transactions Normal redeem script: Provide public key pk and proof

438 views • 33 slides
Anonymity Jiayi Fu What is Anonymity - Describe the situation in which someone's name is not

Anonymity Jiayi Fu What is Anonymity - Describe the situation in which someone's name is not

Anonymity Jiayi Fu What is Anonymity - Describe the situation in which someone's name is not given or known - Anonymity != Privacy != Security - Anonymity: they can see what you do, but not who you are - Privacy: they can see

379 views • 33 slides
How cryptographic benchmarking About PRESERVE: The goes wrong mission of PRESERVE is,

How cryptographic benchmarking About PRESERVE: The goes wrong mission of PRESERVE is,

1 2 How cryptographic benchmarking About PRESERVE: The goes wrong mission of PRESERVE is, to design, implement, and Daniel J. Bernstein test a secure and scalable Thanks to NIST 60NANB12D261 V2X Security Subsystem for for funding

1.2k views • 109 slides
Lecture 24 Anonymity and Privacy Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 24 Anonymity and Privacy Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 24 Anonymity and Privacy Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Miller and Baileys ECE 422 Anonymity Anonymity: Concealing your identity In the context of the Internet, we

860 views • 61 slides
Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Motivation Research Question Results Conclusion Notes Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from Standard Signatures Siamak Shahandashti 1 Rei Safavi-Naini 2 1 SCSSE & CCISR, Uni

465 views • 46 slides
1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Digital Signatures have looked at message authentication but does not address issues of lack of trust Chapter 13 Digital Signatures digital signatures provide the ability to:

361 views • 3 slides
11-830 Computational Ethics for NLP Lecture 11: Privacy and Anonymity Privacy and Anonymity

11-830 Computational Ethics for NLP Lecture 11: Privacy and Anonymity Privacy and Anonymity

11-830 Computational Ethics for NLP Lecture 11: Privacy and Anonymity Privacy and Anonymity Being on-line without giving up everything about you Ensuring collected data doesnt reveal its users data Privacy in Structured Data:

766 views • 49 slides
Anonymity in Cryptocurrencies Foteini Baldimtsi Bitcoin Anonymity? Satoshi Nakamoto, 2008

Anonymity in Cryptocurrencies Foteini Baldimtsi Bitcoin Anonymity? Satoshi Nakamoto, 2008

Anonymity in Cryptocurrencies Foteini Baldimtsi Bitcoin Anonymity? Satoshi Nakamoto, 2008 Bitcoin is only pseudonymous Public Key Address 133GT5661q8RuSKrrv8q2Pb4RwS 146KL5461d8KuSPxvv8q2Nd6K2q Posted on the ... Blockchain Alice

821 views • 40 slides
Gr obner Bases a short introduction Elena Dimitrova AIMS, 2019 Elena Dimitrova Gr

Gr obner Bases a short introduction Elena Dimitrova AIMS, 2019 Elena Dimitrova Gr

Gr obner Bases a short introduction Elena Dimitrova AIMS, 2019 Elena Dimitrova Gr obner Bases a short introduction AIMS, 2019 1 / 11 Polynomial rings Let k be a field. Let R be the set of all polynomials in variables x 1 , . . .

355 views • 11 slides
and Observational Science The Convergence of Data-Intensive and Compute-Intensive Infrastructure

and Observational Science The Convergence of Data-Intensive and Compute-Intensive Infrastructure

The Revolution in Experimental and Observational Science The Convergence of Data-Intensive and Compute-Intensive Infrastructure Professor Tony Hey Chief Data Scientist STFC tony.hey@stfc.ac.uk The Background X-Info The evolution of

826 views • 60 slides
Machine-Level Programming V: Advanced Topics CS140 - Assembly Language and Computer Organization

Machine-Level Programming V: Advanced Topics CS140 - Assembly Language and Computer Organization

Carnegie Mellon Machine-Level Programming V: Advanced Topics CS140 - Assembly Language and Computer Organization March 29, 2016 Slides courtesy of: Randal E. Bryant and David R. OHallaron 1 Bryant and OHallaron, Computer Systems: A

930 views • 47 slides
Su ffi x trees Ben Langmead You are free to use these slides. If you do, please sign the

Su ffi x trees Ben Langmead You are free to use these slides. If you do, please sign the

Su ffi x trees Ben Langmead You are free to use these slides. If you do, please sign the guestbook (www.langmead-lab.org/teaching-materials), or email me (ben.langmead@gmail.com) and tell me brie fl y how youre using them. For original

545 views • 26 slides
Using R for time series analysis and spatial-temporal distribution of global burnt surface

Using R for time series analysis and spatial-temporal distribution of global burnt surface

Outline Problem R vs GIS Methods Further works Using R for time series analysis and spatial-temporal distribution of global burnt surface multi-year product Jedrzej Bojanowski* C esar Carmona-Moreno European Commission - Joint Research

682 views • 29 slides
Adaptable IO System (ADIOS) http://www.cc.gatech.edu/~lofstead/adios Cray User Group 2008 May 8,

Adaptable IO System (ADIOS) http://www.cc.gatech.edu/~lofstead/adios Cray User Group 2008 May 8,

Adaptable IO System (ADIOS) http://www.cc.gatech.edu/~lofstead/adios Cray User Group 2008 May 8, 2008 Chen Jin, Scott Klasky, Stephen Hodson, James B. White III, Weikuan Yu (Oak Ridge National Laboratory) Jay Lofstead, Hasan Abbasi, Karsten

483 views • 26 slides
Virtualization-based Bandwidth Management for Parallel Storage Systems Yiqi Xu , Lixi Wang,

Virtualization-based Bandwidth Management for Parallel Storage Systems Yiqi Xu , Lixi Wang,

Virtualization-based Bandwidth Management for Parallel Storage Systems Yiqi Xu , Lixi Wang, Dulcardo Arteaga, Yonggang Liu, Dr. Ming Zhao Dr. Renato Figueiredo School of Computing and Department of Electrical and Computer Engineering

662 views • 22 slides
Predicting Performance and Cost of Serverless Computing Functions with SAAF Robert Cordingly, Wen

Predicting Performance and Cost of Serverless Computing Functions with SAAF Robert Cordingly, Wen

Predicting Performance and Cost of Serverless Computing Functions with SAAF Robert Cordingly, Wen Shu, Wes Lloyd August 17 - 24, 2020 School of Engineering and Technology University of Washington Tacoma CBDCom 2020: IEEE International

482 views • 15 slides

More recommend