Rerandomizable Signatures under Standard Assumption Sanjit - - PowerPoint PPT Presentation
Rerandomizable Signatures under Standard Assumption Sanjit Chatterjee and R. Kabaleeshwaran Indian Institute of Science, India. INDOCRYPT 2019 Sanjit Chatterjee and R. Kabaleeshwaran (Indian Institute of Science, India. ) Rerandomizable
Rerandomizable Signatures under Standard Assumption
Sanjit Chatterjee and R. Kabaleeshwaran
Indian Institute of Science, India.
INDOCRYPT 2019
Sanjit Chatterjee and R. Kabaleeshwaran (Indian Institute of Science, India. ) Rerandomizable Signatures under Standard Assumption December 17th 1 / 24
Outline
1
Motivation
2
Preliminaries
3
Our Constructions
4
Comparison
2 / 24
Motivation
Camenisch-Lysyanskaya [CL04] - Rerandomizable Signature (RRS)
◮ Signing multiple block messages, ◮ Rerandomizable: Given σ on m under PK, anybody can compute σ′ on
m which is indistinguishable from σ.
◮ Rerandomizability replaces costly zero knowledge proof system in many
privacy preserving protocols.
Used as building block in
◮ Group signature, ◮ Anonymous credentials, ◮ Aggregate signature, ◮ E-Cash, etc.
Goal Fully rerandomizable RRS, unforgeability under standard assumption.
3 / 24
Literature
[CL04] introduced CL-RRS scheme,
◮ Signature size depends on the message block length ℓ, ◮ UF - LRSW interactive assumption. ◮ [GLOW12] Dual-form of CL-RRS: symmetric composite-order setting,
single message case.
[PS16] introduced PS-RRS scheme,
◮ Constant size signature, ◮ UF - interactive assumption.
[PS18] modified PS-RRS (mPS-RRS) scheme,
◮ Either weak rerandomizability in SM or fully rerandomizable in ROM, ◮ UF - parameterized assumption 4 / 24
Bilinear pairing
Efficiently computable map e : G × H → GT satisfies Bilinearity: ∀P1, P2 ∈ G, Q1, Q2 ∈ H, e(P1 + P2, Q1 + Q2) = e(P1, Q1)e(P1, Q2)e(P2, Q1)e(P2, Q2), Non-degeneracy: for any P ∈ G, if e(P, Q) = 1, ∀Q ∈ H, then P = 0. Types of pairing: Let N be the order of G, H and GT. If N is prime, it is prime order pairing, otherwise composite order. If G = H, then it is symmetric, otherwise asymmetric pairing,
5 / 24
Signature Definition
Three PPT algorithms, KeyGen(λ) → (PK, SK), Sign(SK, m) → σ, Ver(PK, m, σ) → 1 or 0.
C A PK mi ∈ M Sign(SK, mi) → (mi, σi) (m∗, σ∗) i ∈ [1, q] KeyGen(λ) → (SK, PK)
6 / 24
Rerandomizable Signature
KeyGen, Sign, Ver + a new PPT algorithm, Rand(PK, m, σ) → (m, σ′). Security: Unforgeability: EUF-CMA model. Randomizability [Gha16]:
C A (SK, PK) (m, σ) If Ver(PK, m, σ) = 1, b ∈R {0, 1} b′ KeyGen(λ) → (SK, PK) b′ = b If b = 0, (m, σ0) ← Sign(SK, m) Else, (m, σ1) ← Rand(PK, m, σ) σb
7 / 24
Composite-order setting
Let Θ = (N = p1p2, G, H, GT , e) ← GN(λ) with G = g, H = h. Write G ∼ = G1 ⊕ G2, H ∼ = H1 ⊕ H2, pi-order subgroups Gi = gi, Hi = hi, i ∈ [1, 2]. Orthogonal property: e(gi, hj) = 1, for i = j.
◮ Ex: e(g1, h2) = e(g rp2, hsp1) = e(g r, hs)p1p2 = 1.
Parameter-Hiding property: Chinese Remainder Theorem (CRT) ensures that, for a ∈R ZN, a mod p1 does not reveal a mod p2, i.e., ga
1 ga 2 ≈ ga 1 ga1 2 , for a1 ∈R ZN.
8 / 24
Subgroup Hiding (SGH) assumption
Used in EUF-CMA security. SGHH
p1→p1p2: Given g1, h1, h2, ˆ
T, hard to decide ˆ T ∈ H1 or ˆ T ∈ H, SGHG
p1→p1p2: Given g1, g2, h1, T, hard to decide T ∈ G1 or T ∈ G,
SGHH
p2→p1p2: Given g2, h1, h2, ˆ
T, hard to decide ˆ T ∈ H2 or ˆ T ∈ H.
9 / 24
Our RRS Scheme in Composite-order setting
Construction is inspired from PS-RRS [PS16] (Single message case). KeyGen(λ): Let (N = p1p2, G, H, GT , e, µ = {G1, H1})
$
← GN(λ). Choose g1 ∈R G1, h1 ∈R H1 and x, y ∈R ZN. Return SK = {g1, x, y}, PK = {h1, X = hx
1, Y = hy 1}.
Sign(SK, m): Choose r ∈R ZN, compute A := gr
1, B := gr(x+my) 1
. Return (m, σ = (A, B)). Verify(PK, m, σ): Accept only if e(A, h1) = 1 and e(B, h1) = e(A, XY m). Rand(PK, m, σ): If Ver(PK, m, σ)=1, then choose s ∈R ZN and compute A′ := As, B′ := Bs. Return (m, σ′ = (A′, B′)). Correctness: e(A, h1) = 1 ensures A contain a non-zero exponent of g1. e(B, h1) = e(gr(x+my)
1
, h1) = e(gr
1, h(x+my) 1
) = e(A, XY m).
10 / 24
Randomizability
Fully randomizable.
C A (SK, PK) (m, σ) If Ver(PK, m, σ) = 1, b ∈R {0, 1} b′ g1 ∈R G1, h1 ∈R H1, x, y ∈R ZN b′ = b If b = 0, σ0 = (A0 = gr
1, B0 = gr(x+my) 1
) Else, σ1 = (A1 = As, B1 = Bs) σb SK = {g1, x, y} PK = {h1, hx
1, hy 1}
Both σ0 and σ1 are distributed identically!
11 / 24
Unforgeability
Use Dual-form signature technique [GLOW12]. SignA=Sign, SignB(SK∪{g2}, m): Choose r, δ1, δ2 ∈R ZN and return m and σ = (A := gr
1gδ1 2 , B := gr(x+my) 1
gδ2
2 ).
Forgery Class: V = {(m∗, σ∗) ∈ ZN × G 2 : Ver(PK, m∗, σ∗) = 1},
◮ Type-I VI = {(m∗, σ∗) ∈ V : (A∗)p1 = 1, (B∗)p1 = 1}, ◮ Type-II VII = {(m∗, σ∗) ∈ V : (A∗)p1 = 1 or (B∗)p1 = 1}. 12 / 24
Theorem
SGH assumptions ⇒ RRS scheme is EUF-CMA secure.
Proof.
We use a hybrid argument. GameR: Real EUF-CMA game, here A → V, Game0: ∼ GameR, except A → VI, Gamek: ∼ Game0, except 1st k queries answered using SignB, E event that A → VII in Game0. Then we prove
1
|Adv GameR
A
− Adv Game0
A
| ≤ Pr[E] ≤ Adv
SGHH
p1→p1p2
B
+ 1/N,
2
|Adv Gamek−1
A
− Adv Gamek
A
| ≤ Adv
SGHG
p1→p1p2
B
,
3
Adv Gameq
A
≤ Adv
SGHH
p2→p1p2
B
. Hence, Adv GameR
A
≤ Adv
SGHH
p1→p1p2
B
+ Adv
SGHG
p1→p1p2
B
+ Adv
SGHH
p2→p1p2
B
+ 1/N.
13 / 24
Lemma
Pr[E] ≤ Adv
SGHH
p1→p1p2
B
+ 1/N.
Proof.
B A PK = {h1, X = hx
1, Y = hy 1}
mi SignA(SK, mi) → (mi, σi) (m∗, σ∗ = (A∗, B∗)) C g1, h1, h2, ˆ T x, y ∈R ZN SK = {g1, x, y} S := B∗(A∗)−(x+m∗y) = gγ2−γ1(x+m∗y)
2
= 1 with non-neg prob. If e(S, ˆ T) = 1, then ˆ T ∈ H1, else ˆ T ∈ H i ∈ [1, q] CRT x, y mod p2 is random hidden to A
Here A∗ = gr
1gγ1 2 , B∗ = gr(x+m∗y) 1
gγ2
2 .
14 / 24
Lemma
|Adv Gamek−1
A
− Adv Gamek
A
| ≤ Adv
SGHG
p1→p1p2
B
.
Proof.
B A PK = {h1, X = hx
1, Y = hy 1}
mi SignB(SK, mi) → (mi, σi) (m∗, σ∗ = (A∗, B∗)) C g1, g2, h1, T = gt1
1 gt2 2
x, y ∈R ZN SK = {g1, x, y}∪{g2} i ∈ [1, k − 1] mk (mk, σk = (Ak, Bk)) mt SignA(SK, mt) → (mt, σt) t ∈ [k + 1, q] 1 or 0 Ak = gt1
1 gt2 2 , Bk = (gt1 1 gt2 2 )(x+mky)
CRT x, y mod p2 is random
15 / 24
Lemma
Adv Gameq
A
≤ Adv
SGHH
p2→p1p2
B
.
Proof.
B A PK = {h1, X = hx
1, Y = hy 1}
mi SignB(SK, mi) → (mi, σi = (Ai, Bi)) (m∗, σ∗ = (A∗, B∗)) C g2, h1, h2, ˆ T gτ1
1 gτ2 2 , ∈R G, x, y ∈R ZN
SK = {x, y}∪{g2} If e(A∗, ˆ T) = 1, then ˆ T ∈ H2, else ˆ T ∈ H Ai = (gτ1
1 gτ2 2 )rgδ′
1
2 ,
Bi = (gτ1
1 gτ2 2 )r(x+miy)gδ′
2
2
i ∈ [1, q]
16 / 24
Composite To Prime-order setting
Use Dual Pairing Vector Space (DPVS) [OT10] in the prime-order setting. Orthogonal property via Dual basis (B, B∗) ← Dual(λ, F4
p), where
B = { bi}4
i=1, B∗ = {
b∗
i }4 i=1.
b∗
j =
ψ if i = j, if i = j. Parameter Hiding (PH) property [Lew12]: (B, B∗)
A∈GL(2)
− → (D, D∗) such that (D, D∗) is independent of A.
◮ Ex:
d1 = b1, d2 = b2, d∗
1 =
b∗
1,
d∗
2 =
b∗
2,
( d3, d4)⊤ = A−⊤( b3, b4)⊤, ( d∗
3 ,
d∗
4 )⊤ = A(
b∗
3,
b∗
4)⊤.
17 / 24
Composite To Prime-order setting
Decisional Subspace (DS) Assumptions: DDHH: Given g, h, ha, hb, hc, hard to decide c = ab mod p or not. DSH: g
b1, g b2, h b∗
1 , h
b∗
2 , h
b∗
3 , h
b∗
4 , U1 = gµ1
b1+µ2 b3, U2 = gµ1 b2+µ2 b4
T1 = hτ1
b∗
1 +τ2
b∗
3 , T2 = hτ1
b∗
2 +τ2
b∗
4 , τ2 = 0 or not. ◮ Similar to SGHH
p1→p1p2,
DSG: g
b1, g b2, g b3, g b4, h b∗
1 , h
b∗
2 , U1 = hµ1
b∗
1 +µ2
b∗
3 , U2 = hµ1
b∗
2 +µ2
b∗
4 ,
T1 = gτ1
b1+τ2 b3, T2 = gτ1 b2+τ2 b4, τ2 = 0 or not.
◮ Similar to SGHH
p1→p1p2,
18 / 24
RRS scheme in prime-order setting
KeyGen(λ): Let P(λ) → (p, G, H, GT , e). Choose (D, D∗) ∈R Dual(λ, F4
p), x, y ∈R Zp. Return SK = {g d1, g d2, x, y},
PK = {h
d∗
1 , h
d∗
2 , X = hx
d∗
1 , Y = hy
d∗
1 }.
Sign(SK, m): Choose r ∈R ZN, compute σ = gr
d1−r(x+my)
(m, σ). Verify(PK, m, σ): Accept if e(σ, h
d∗
1 ) = 1 and e(σ, XY mh
d∗
2 ) = 1.
Rand(PK, m, σ): If Ver(PK, m, σ)=1, then choose s ∈R ZN and return (m, σ′ := σs). Correctness: e(σ, XY mh
2 ) = e(gr
d1−r(x+my) d2, hx d∗
1 (hy
d∗
1 )mh
2 )
= e(g, h)r(x+my)
d1· d∗
1 −r(x+my)
d2· d∗
2 = 1. 19 / 24
Security
Fully rerandomizable: σ0 = gt
d1−t(x+my) d2 and σ1 = gsr d1−sr(x+my) d2
are identically distributed. Unforgeability under SXDH assumption.
◮ Use dual-form signature technique, ◮ replace SGHH
p1→p1p2 with DSH assumption,
⋆ DDHH ⇒ DSH, ◮ replace SGHG
p1→p1p2 with DSG assumption,
⋆ DDHG ⇒ DSG, ◮ replace SGHH
p2→p1p2 with DDHH assumption.
20 / 24
Summary
Our RRS scheme is secure under SXDH assumption:
◮ This variant inspired from [PS16], ◮ Main signature exponent (x + ℓ
j=1 mjyj),
◮ Constant-size signature, while signing multiple block messages, ◮ Fully rerandomizable.
Another RRS variant inspired from [Gha16].
◮ Main signature exponent: (x + m1 + ℓ
j=2 mjyj)/y1.
◮ Fully rerandomizable, ◮ Unforgeability - same set of assumptions. 21 / 24
Comparison
Table : Comparing rerandomizable signatures for multiple block messages.
|PK| |σ| Signing Cost Verification Cost Rand. Assum. CL-RRS (ℓ + 2)|G| (2ℓ + 1)|G| (2ℓ + 1)EG 4ℓP + ℓEG + ℓMG Full LRSW mCL-RRS (ℓ + 3)|G| (2ℓ + 3)|G| (2ℓ + 3)EG 4(ℓ + 1)P + (ℓ + 1)EG Weak q-MSDH-1 +1|Zp| +(ℓ + 1)MG PS-RRS (ℓ + 2)|H| 2|G| 2EG 2P + ℓEH + ℓMH Full PS mPS-RRS (ℓ + 3)|H| 2|G| + 1|Zp| 2EG 2P + (ℓ + 1)EH Weak q-MSDH-2 +(ℓ + 1)MH PS-RRS (4ℓ + 13)|H| + 1|G| 4|G| 8EG + 4MG 8P + 6MGT + 4ℓEH Full SXDH RRS (4ℓ + 9)|H| + 1|G| +4(ℓ + 1)MH 22 / 24
References
[CL04] Jan Camenisch and Anna Lysyanskaya, “Signature schemes and anonymous credentials from bilinear maps”, CRYPTO 2004, [Gha16] Essam Ghadafi, “Short structure-preserving signatures”, CT-RSA 2016, [GLOW12] Michael Gerbush, Allison B. Lewko, Adam O’Neill and Brent Waters, “Dual form signatures: An approach for proving security from static assumptions”, ASIACRYPT 2012, [Lew12] Allison B. Lewko, “Tools for simulating features of composite order bilinear groups in the prime order setting”, EUROCRYPT 2012, [OT10] Tatsuaki Okamoto and Katsuyuki Takashima. “Fully secure functional encryption with general relations from the decisional linear assumption”, CRYPTO 2010, [PS16] David Pointcheval and Olivier Sanders, “Short randomizable signatures”, CT-RSA 2016, [PS18] David Pointcheval and Olivier Sanders, “Reassessing security of randomizable signatures”, CT-RSA 2018,
23 / 24
See https://ia.cr/2019/1144.
24 / 24