Non-Interactive Plaintext (In-)Equality Proofs and Group Signatures - - PowerPoint PPT Presentation

S C I E N C E P A S S I O N T E C H N O L O G Y www.iaik.tugraz.at

Non-Interactive Plaintext (In-)Equality Proofs and Group Signatures with Verifiable Controllable Linkability

Olivier Blazy1, David Derler2, Daniel Slamanig2, Raphael Spreitzer2

1 Universit´

e de Limoges, XLim, France

2 IAIK, Graz University of Technology, Austria

CT-RSA 2016, San Francisco, 2nd March 2016

www.iaik.tugraz.at

Group Signature Schemes [CvH91]

Group signature σ Verifier (pk) Signer i (xi) Group Group Manager (pk) Issuer (mik) Opener (mok)

Blazy, Derler, Slamanig, Spreitzer CT-RSA 2016, San Francisco, 2nd March 2016 2

www.iaik.tugraz.at

Controllable Linkability [HLhC+11, SSU14]

But can I trust the Linker?

Verifier (pk) (σ1, M1),(σ2, M2) Group Manager (pk) Issuer (mik) Linker (mlk) Opener (mok) No idea

who signed them!

Blazy, Derler, Slamanig, Spreitzer CT-RSA 2016, San Francisco, 2nd March 2016 3

www.iaik.tugraz.at

Verifiable Controllable Linkability

Prove it!

Verifier (pk) (σ1, M1),(σ2, M2) Group Manager (pk) Issuer (mik) Linker (mlk) Opener (mok)Still no

idea who signed them!

Blazy, Derler, Slamanig, Spreitzer CT-RSA 2016, San Francisco, 2nd March 2016 4

www.iaik.tugraz.at

Sign-Encrypt-Prove Paradigm

Basic building blocks

DS = (KGs, Sign, Verify) AE = (KGe, Enc, Dec) Signature of Knowledge

Keys

gpk ← (pke, pks), gmsk ← ske, gmik ← sks

Join

User’s secret: xi Issuer computes: cert ← Sign(gmik, f(xi))

Blazy, Derler, Slamanig, Spreitzer CT-RSA 2016, San Francisco, 2nd March 2016 5

www.iaik.tugraz.at

Sign-Encrypt-Prove Paradigm I

Sign

T ← Enc(pke, cert) π ← SoK{(xi, cert) : cert = Sign(sks, f(xi)) ∧ T = Enc(pke, cert))}(m) σ ← (T, π)

Verify

“verification of π”

Open

cert ← Dec(ske, T)

Blazy, Derler, Slamanig, Spreitzer CT-RSA 2016, San Francisco, 2nd March 2016 6

www.iaik.tugraz.at

Contributions

• 1. Generic proof system for plaintext (in-)equality
• 2. Efficient instantiation of this proof system
• 3. Group signatures with verifiable controllable linkability
• 4. Extend GSs with verifiable controllable linkability (VCL)

Blazy, Derler, Slamanig, Spreitzer CT-RSA 2016, San Francisco, 2nd March 2016 7

www.iaik.tugraz.at

Controllable Linkability

Public key encryption with equality tests [Tan12, SSU14]

Conventional public key encryption scheme + Com algorithm for equality tests using trapdoor ⇒ Link: 1/0 ← Com(T, T ′, gmlk) Semantic security without trapdoor One-way security for trapdoor holders

Blazy, Derler, Slamanig, Spreitzer CT-RSA 2016, San Francisco, 2nd March 2016 8

www.iaik.tugraz.at

Setting

Yes/No, π

Link (π1, ), (π2, )

certi certj Verifier (pk) Linker (mlk)

=

?

Non-interactive plaintext (in-)equality proofs

Blazy, Derler, Slamanig, Spreitzer CT-RSA 2016, San Francisco, 2nd March 2016 9

www.iaik.tugraz.at

Non-Interactive Plaintext (In-)Equality Proofs

Given any PKEQ and ciphertexts T and T ′ under pk Proof system Π

• 1. Prove knowledge of trapdoor tk
• 2. Com = 1 (membership) or Com = 0 (non-membership)
• 3. Without revealing trapdoor tk

Blazy, Derler, Slamanig, Spreitzer CT-RSA 2016, San Francisco, 2nd March 2016 10

www.iaik.tugraz.at

(Non-)Membership Proofs

Com = 1 defines language L∈ for membership

Witnessed by trapdoor tk Standard techniques [GS08]

Com = 0 defines language L/

∈ for non-membership

Idea [BCV15]

Π1: Failing membership proof for L∈ Π2: Proof that Π1 has been computed honestly

Efficient instantiations (GS and SPHFs) Technicalities: m, r must be known [BCV15]

Blazy, Derler, Slamanig, Spreitzer CT-RSA 2016, San Francisco, 2nd March 2016 11

www.iaik.tugraz.at

Smooth Projective Hash Functions (SPHFs)

Blazy, Derler, Slamanig, Spreitzer CT-RSA 2016, San Francisco, 2nd March 2016 12

www.iaik.tugraz.at

Construction - Non-Membership Proof

Blazy, Derler, Slamanig, Spreitzer CT-RSA 2016, San Francisco, 2nd March 2016 13

www.iaik.tugraz.at

Example of Efficient Instantiation

ElGamal with equality tests (as in [SSU14])

Keypair: (sk, pk) ← (x, gx) ∈ Zp × G1 Trapdoor: (ˆ r,ˆ r x) ∈ G2 × G2 Encryption of m: (gr, m · gx·r) ∈ G1 × G1

Pairing-based equality test

Ciphertexts: (gr, m · gx·r), (gr ′, m′ · gx·r ′) m = m′ ⇐ ⇒ e(m · gx·r,ˆ r) e(gr,ˆ r x) = e(m′ · gx·r ′,ˆ r) e(gr ′,ˆ r x)

Blazy, Derler, Slamanig, Spreitzer CT-RSA 2016, San Francisco, 2nd March 2016 14

www.iaik.tugraz.at

Instantiation of Π∈

Com = 1: plaintext equality proof

((gr, m · gx·r), (gr ′, m′ · gx·r ′), gx) ∈ L∈ ⇐ ⇒

e(m · gx·r, ˆ r) e(gr, ˆ r x)

= e(m′ · gx·r ′, ˆ

r) e(gr ′, ˆ r x)

∧

e(g, ˆ r x) = e(gx, ˆ r)

2

• i=1

e(Ai, ˆ Yi) = e(m · gx·r · (m′ · gx·r ′)−1, ˆ r) e(gr · g−r ′, ˆ r x)

= 1GT

Blazy, Derler, Slamanig, Spreitzer CT-RSA 2016, San Francisco, 2nd March 2016 15

www.iaik.tugraz.at

Instantiation of Π/

∈

Com = 0: plaintext inequality proof

((gr, m · gx·r), (gr ′, m′ · gx·r ′), gx) ∈ L/

∈ ⇐

⇒

e(m · gx·r, ˆ r) e(gr, ˆ r x)

= e(m′ · gx·r ′, ˆ

r) e(gr ′, ˆ r x)

∧

e(g, ˆ r x) = e(gx, ˆ r)

⇒ Our construction for non-membership proofs

Blazy, Derler, Slamanig, Spreitzer CT-RSA 2016, San Francisco, 2nd March 2016 16

www.iaik.tugraz.at

NIPEI Proof System

Proof system Π = (Π∈, Π/

∈)

Yes/No, π

Link (π1, ), (π2, )

certi certj Verifier (pk) Linker (mlk)

=

?

Blazy, Derler, Slamanig, Spreitzer CT-RSA 2016, San Francisco, 2nd March 2016 17

www.iaik.tugraz.at

GSSs with Verifiable Controllable Linkability

Extended security model for VCL-GS

Algorithms: Link and LinkJudge Property: linking soundness

Instantiation based on NIPEI

Link: Π.Proof LinkJudge: Π.Verify

Blazy, Derler, Slamanig, Spreitzer CT-RSA 2016, San Francisco, 2nd March 2016 18

www.iaik.tugraz.at

Take-Home Message

Proposed generic approach for (in-)equality proof Efficient instantiation in the pairing setting Rather independent of encryption scheme

Various DDH/DLIN ElGamal variants CCA2: Naor-Yung and Cramer-Shoup (for free)

Novel application

GSSs with verifiable controllable linkability

Blazy, Derler, Slamanig, Spreitzer CT-RSA 2016, San Francisco, 2nd March 2016 19

S C I E N C E P A S S I O N T E C H N O L O G Y www.iaik.tugraz.at

Non-Interactive Plaintext (In-)Equality Proofs and Group Signatures with Verifiable Controllable Linkability

Olivier Blazy1, David Derler2, Daniel Slamanig2, Raphael Spreitzer2

1 Universit´

e de Limoges, XLim, France

2 IAIK, Graz University of Technology, Austria

CT-RSA 2016, San Francisco, 2nd March 2016

www.iaik.tugraz.at

Bibliography I

[BCV15] Olivier Blazy, C´ eline Chevalier, and Damien Vergnaud. Non-Interactive Zero-Knowledge Proofs of Non-Membership. In CT-RSA, 2015. [CvH91] David Chaum and Eug` ene van Heyst. Group Signatures. In EUROCRYPT, 1991. [GS08] Jens Groth and Amit Sahai. Efficient Non-interactive Proof Systems for Bilinear Groups. In EUROCRYPT, 2008. [HLhC+11] Jung Yeon Hwang, Sokjoon Lee, Byung ho Chung, Hyun Sook Cho, and DaeHun Nyang. Short Group Signatures with Controllable Linkability. In LightSec. IEEE, 2011. [SSU14] Daniel Slamanig, Raphael Spreitzer, and Thomas Unterluggauer. Adding Controllable Linkability to Pairing-Based Group Signatures for Free. In ISC, 2014. [Tan12] Qiang Tang. Public Key Encryption Supporting Plaintext Equality Test and User-Specified

• Authorization. Security and Communication Networks, 5(12), 2012.

Blazy, Derler, Slamanig, Spreitzer CT-RSA 2016, San Francisco, 2nd March 2016 21