Practical Round-Optimal Blind Signatures in the Standard Model from - - PowerPoint PPT Presentation

Practical Round-Optimal Blind Signatures in the Standard Model from Weaker Assumptions

• G. Fuchsbauer∗, C. Hanser† C. Kamath‡, and D. Slamanig†

∗´

Ecole Normale Sup´ erieure, Paris

†IAIK, Graz University of Technology, Austria ‡Institute of Science and Technology Austria

September 2, 2016

1 / 22

Blind Signatures

Blindness! Unforgeability!

xkcd.com

2 / 22

Overview

◮ Desiderata:

• 1. Round-optimality (hence efficiency and composability)
• 2. No heuristic assumptions
• 3. No set-up assumptions

◮ Hard to construct: [FS10] ◮ Possibility: [GG14,GRS+11] ◮ First practical scheme: [FHS15]

◮

SPS-EQ + commitments

◮

CDH, EUF-CMA = ⇒ Unforgeability

◮

Interactive variant of DDH = ⇒ Blindness

◮ Our contribution: weaker assumptions!

3 / 22

Preliminaries

◮ Asymmetric pairing e : G1 × G2 → GT

◮ Bilinearity: e(aP, b ˆ

P) = e(P, ˆ P)ab

◮ Non-degeneracy: e(P, ˆ

P) = 1GT

◮ Efficiency: e(·, ·) efficiently computable

◮ Structure-Preserving Signatures [AFG+10]

◮ Signing vector of group elements ◮ Signatures and PKs consist only of group elements ◮ Verification via

• 1. pairing-product equations
• 2. group membership tests

4 / 22

SPS on Equivalence Classes

[(1, 1)] M N [ ( 2 , 1 ) ] Q σM

S i g n

R

σN

C h g R e pR

◮ Equivalence relation ∼R on Gℓ: M ∼R N ⇔ ∃µ ∈ Z∗

p : N = µ · M

◮ SPS-EQ := SPS + “change representative” functionality

5 / 22

SPS-EQ: Security

[(1, 1)] M N σM σN

C h g R e pR S i g n

R

S i g n

R

≈ ◮ Class-hiding: ChgRepR(M, σ, µ, pk)≈SignR(µM, sk)

◮ Malicious keys: ChgRepR(M, σ, µ, pk) uniform in space of

signatures on µM

Unforgeability: EUF-CMA w.r.t ∼R

6 / 22

SPS-EQ: Security

[(1, 1)] [ ( 2 , 1 ) ] [(1, 2)] [ ( 1 , 4 ) ] [(4, 1)] ◮ Class-hiding: ChgRepR(M, σ, µ, pk)≈SignR(µM, sk)

◮ Malicious keys: ChgRepR(M, σ, µ, pk) uniform in space of

signatures on µM

◮ Unforgeability: EUF-CMA w.r.t ∼R

7 / 22

Blind Signatures from SPS-EQ

8 / 22

FHS Blind Signature

◮ Bob:

• 1. Commits to m using Pedersen commitment C = mP + rQ
• 2. Obtains signature π from Alice on random M ∼ [(C, P)]R
• 3. Derives σ on (C, P) using ChgRepR
• 4. Outputs τ = (σ, opening of C) to Charlie

[(C, P)] m 1 (C, P) 2 M π

2

σ

3

9 / 22

sk = (skR, q) pk = (pkR, (Q, ˆ Q) = q · (P, ˆ P)) m ∈ Z∗

p

r, s ∈ Z∗

p

M = s · (mP + rQ, P) π ← SignR(M, sk) Pedersen Commitment σ ← ChgRepR(M, π, 1/s, pkR) τ ← (σ, R = rP, T = rQ) Opening (m, τ) Verify R((mP + T, P), σ, pkR)

?

= 1 e(R, ˆ Q)

?

= e(T, ˆ P)

10 / 22

Blindness: Honest-Key Model

(pk, sk) (m0, m1) b ∼ {0, 1} U(mb, pk), · U(m¯

b, pk), ·

(τ0, τ1) b∗

11 / 22

Blindness: Honest-Key Model...

((pkR, (Q, ˆ Q)), (skR, q)) (m0, m1) · · · (mb(sbP) + q(rbsbP), P) · · · · · · (m¯

b(s¯ bP) + q(r¯ bs¯ bP), P) · · ·

(τ0, τ1) b ∼ {0, 1} rb, sb ∼ Z∗

p

r¯

b, s¯ b ∼ Z∗ p

b∗ Embed DDH instance (P, rP, sP, tP) τ = (σ, R, T) : σ = ChgRepR(·, ·, 1/s, ·) SignR instead of ChgRepR

12 / 22

Blindness: Malicious-Key Model

U(mb, pk), · U(m¯

b, pk), ·

(τ0, τ1) b ∼ {0, 1} (m0, m1) b∗ (pk, sk) pk sk

13 / 22

Blindness: Malicious-Key Model...

· · · (mb(sbP) + q(rbsbP), P) · · · · · · (m¯

b(s¯ bP) + q(r¯ bs¯ bP), P) · · ·

(τ0, τ1) b ∼ {0, 1} rb, sb ∼ Z∗

p

r¯

b, s¯ b ∼ Z∗ p

(pkR, (Q, ˆ Q)) (m0, m1) b∗ (skR, q) Unknown to Bob τ cannot be computed without sk

◮ Solution:

• 1. Interactive variant of DDH needed
• 2. Rewind Alice to generate signatures (ChgRepR uniform)

14 / 22

Our construction

◮ Idea: Bob chooses parameters for commitment

◮ Must be perfectly binding

◮ Bob:

• 1. Chooses “one-time” keys (P, Q) for El-Gamal encryption
• 2. Commits to m using C = mP + rQ
• 3. Obtains signature π from Alice on M ∼ [(C, rP, Q, P)]R
• 4. Derives σ on (C, rP, Q, P) using ChgRepR
• 5. Outputs τ = (σ, opening of C) to Charlie

15 / 22

pk = pkR sk = skR m ∈ Z∗

p

r, s ∈ Z∗

p, R = rP

q ∈ Z∗

p, Q := qP

M = s · (mP + rQ, R, Q, P) π ← SignR(M, sk) σ ← ChgRepR(M, π, 1/s, pkR) τ ← (σ, R, Q, Z = rQ, ˆ Q = q ˆ P) (m, τ) Verify R((mP + Z, R, Q, P), σ, pkR)

?

= 1 e(Q, ˆ P)

?

= e(P, ˆ Q), e(Z, ˆ P)

?

= e(R, ˆ Q) sR allows verification! e(M1 − mM4)

?

= e(M2, ˆ Q) Solution: split q

16 / 22

m ∈ Z∗

p

r, s ∈ Z∗

p , R = rP

u, v ∈ Z∗

p , Q := uvP

pk = pkR sk = skR M = s · (mP + rQ, R, Q, P) π ← SignR(M, sk) σ ← ChgRepR(M, π, 1/s, pkR) τ ← (σ, R, Q, Y = rQ, U = uP, X = ruP, ˆ U = u ˆ P, ˆ V = v ˆ P) (m, τ) VerifyR((mP + Y , R, Q, P), σ, pkR) ? = 1 e(Q, ˆ P) ? = e(U, ˆ V ), e(U, ˆ P) ? = e(P, ˆ U) e(X, ˆ P) ? = e(R, ˆ U), e(Y , ˆ P) ? = e(X, ˆ V ) 17 / 22

Blindness: Malicious-Key Model

(mb(sP) + rsuvP, rsP, suvP, sP) U(m¯

b, pk), ·

(τ0, τ1) b ∼ {0, 1} r, s ∼ Z∗

p

u, v ∼ Z∗

p

pkR (m0, m1) b∗ skR Embed ABDDH+ instance Compute τ by rewinding

◮ ABDDH+ assumption: hard to distinguish ruvP from random

given: rP, uP, uvP, u ˆ P, v ˆ P

◮ ABDDH+ =

⇒ DDH

◮ Hard in generic group model 18 / 22

Blindness: Malicious-Key Model...

pk (m0, m1) c ∼ {0, 1} U(mc, pk), · U(m¯

c, pk), ·

No embedding ( σ , σ

1

) ∗ pk (m0, m1) b ∼ {0, 1} U(mb, pk), · U(m¯

b, pk), ·

Embed (τ0, τ1) ChgRepR(∗) b∗

◮ Multiple rewinds required: fails for single rewind!

19 / 22

Comparison

[GG14] [FHS15] This work Assumption DLIN Interactive DDH ABDDH+ Public-key 43G 1G1 + 3G2 4G2 Communication > 41G 4G1 + 1G2 6G1 + 1G2 Signatures 183G 4G1 + 1G2 7G1 + 3G2 Computation 9e 7e 14e

20 / 22

References

AFG+10 M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev, M. Ohkubo Structure-Preserving Signatures and Commitments to Group Elements. FHS15 G. Fuchsbauer, C. Hanser and D. Slamanig. Practical Round-Optimal Blind Signatures in the Standard Model. CRYPTO 2015 FS10 M. Fischlin and D. Schr¨

• der. On the Impossibility of Three-Move Blind

Signature Schemes. EUROCRYPT 2010 GG14 S. Garg and D. Gupta. Efficient Round Optimal Blind Signatures. EUROCRYPT 2014 GRS+11 S. Garg, V. Rao, A. Sahai, D. Schr¨

• der and D. Unruh. Round Optimal

Blind Signatures. CRYPTO 2011

21 / 22