Rerandomizable Signatures under Standard Assumption Sanjit - PowerPoint PPT Presentation

Rerandomizable Signatures under Standard Assumption Sanjit Chatterjee and R. Kabaleeshwaran Indian Institute of Science, India. INDOCRYPT 2019 Sanjit Chatterjee and R. Kabaleeshwaran (Indian Institute of Science, India. ) Rerandomizable Signatures under Standard Assumption December 17th 1 / 24

Outline Motivation 1 Preliminaries 2 Our Constructions 3 Comparison 4 2 / 24

Motivation Camenisch-Lysyanskaya [CL04] - Rerandomizable Signature (RRS) ◮ Signing multiple block messages, ◮ Rerandomizable: Given σ on m under PK , anybody can compute σ ′ on m which is indistinguishable from σ . ◮ Rerandomizability replaces costly zero knowledge proof system in many privacy preserving protocols. Used as building block in ◮ Group signature, ◮ Anonymous credentials, ◮ Aggregate signature, ◮ E-Cash, etc. Goal Fully rerandomizable RRS, unforgeability under standard assumption. 3 / 24

Literature [CL04] introduced CL-RRS scheme, ◮ Signature size depends on the message block length ℓ , ◮ UF - LRSW interactive assumption. ◮ [GLOW12] Dual-form of CL-RRS: symmetric composite-order setting, single message case. [PS16] introduced PS-RRS scheme, ◮ Constant size signature, ◮ UF - interactive assumption. [PS18] modified PS-RRS (mPS-RRS) scheme, ◮ Either weak rerandomizability in SM or fully rerandomizable in ROM, ◮ UF - parameterized assumption 4 / 24

Bilinear pairing Efficiently computable map e : G × H → G T satisfies Bilinearity: ∀ P 1 , P 2 ∈ G , Q 1 , Q 2 ∈ H , e ( P 1 + P 2 , Q 1 + Q 2 ) = e ( P 1 , Q 1 ) e ( P 1 , Q 2 ) e ( P 2 , Q 1 ) e ( P 2 , Q 2 ), Non-degeneracy: for any P ∈ G , if e ( P , Q ) = 1, ∀ Q ∈ H , then P = 0. Types of pairing: Let N be the order of G , H and G T . If N is prime, it is prime order pairing, otherwise composite order. If G = H , then it is symmetric, otherwise asymmetric pairing, 5 / 24

Signature Definition Three PPT algorithms, KeyGen( λ ) → ( PK , SK ), Sign( SK , m ) → σ , Ver( PK , m , σ ) → 1 or 0. Unforgeability . EUF-CMA model: C A KeyGen ( λ ) → ( SK , PK ) PK m i ∈ M i ∈ [1 , q ] Sign ( SK , m i ) → ( m i , σ i ) 1. m ∗ � = m i , for i ∈ [1 , q ] ( m ∗ , σ ∗ ) 2. Ver ( PK , m ∗ , σ ∗ )=1 6 / 24

Rerandomizable Signature KeyGen , Sign , Ver + a new PPT algorithm, Rand( PK , m , σ ) → ( m , σ ′ ). Security: Unforgeability: EUF-CMA model. Randomizability [Gha16]: C A KeyGen ( λ ) → ( SK , PK ) ( SK , PK ) ( m , σ ) If Ver ( PK , m , σ ) = 1 , b ∈ R { 0 , 1 } If b = 0 , ( m , σ 0 ) ← Sign ( SK , m ) Else, ( m , σ 1 ) ← Rand ( PK , m , σ ) σ b b ′ b ′ = b 7 / 24

Composite-order setting Let Θ = ( N = p 1 p 2 , G , H , G T , e ) ← G N ( λ ) with G = � g � , H = � h � . Write G ∼ = G 1 ⊕ G 2 , H ∼ = H 1 ⊕ H 2 , p i -order subgroups G i = � g i � , H i = � h i � , i ∈ [1 , 2]. Orthogonal property : e ( g i , h j ) = 1, for i � = j . ◮ Ex: e ( g 1 , h 2 ) = e ( g rp 2 , h sp 1 ) = e ( g r , h s ) p 1 p 2 = 1. Parameter-Hiding property : Chinese Remainder Theorem (CRT) ensures that, for a ∈ R Z N , a mod p 1 does not reveal a mod p 2 , 1 g a 1 i.e., g a 1 g a 2 ≈ g a 2 , for a 1 ∈ R Z N . 8 / 24

Subgroup Hiding (SGH) assumption Used in EUF-CMA security. SGH H p 1 → p 1 p 2 : Given g 1 , h 1 , h 2 , ˆ T , hard to decide ˆ T ∈ H 1 or ˆ T ∈ H , SGH G p 1 → p 1 p 2 : Given g 1 , g 2 , h 1 , T , hard to decide T ∈ G 1 or T ∈ G , p 2 → p 1 p 2 : Given g 2 , h 1 , h 2 , ˆ T , hard to decide ˆ T ∈ H 2 or ˆ SGH H T ∈ H . 9 / 24

Our RRS Scheme in Composite-order setting Construction is inspired from PS-RRS [PS16] (Single message case). $ KeyGen( λ ) : Let ( N = p 1 p 2 , G , H , G T , e , µ = { G 1 , H 1 } ) ← G N ( λ ). Choose g 1 ∈ R G 1 , h 1 ∈ R H 1 and x , y ∈ R Z N . Return 1 , Y = h y SK = { g 1 , x , y } , PK = { h 1 , X = h x 1 } . 1 , B := g r ( x + my ) Sign( SK , m ) : Choose r ∈ R Z N , compute A := g r . 1 Return ( m , σ = ( A , B )). Verify( PK , m , σ ) : Accept only if e ( A , h 1 ) � = 1 and e ( B , h 1 ) = e ( A , XY m ). Rand( PK , m , σ ) : If Ver( PK , m , σ )=1, then choose s ∈ R Z N and compute A ′ := A s , B ′ := B s . Return ( m , σ ′ = ( A ′ , B ′ )). Correctness : e ( A , h 1 ) � = 1 ensures A contain a non-zero exponent of g 1 . e ( B , h 1 ) = e ( g r ( x + my ) 1 , h ( x + my ) , h 1 ) = e ( g r ) = e ( A , XY m ). 1 1 10 / 24

Randomizability Fully randomizable. C A g 1 ∈ R G 1 , h 1 ∈ R H 1 , x , y ∈ R Z N ( SK , PK ) SK = { g 1 , x , y } 1 , h y PK = { h 1 , h x 1 } ( m , σ ) If Ver ( PK , m , σ ) = 1 , b ∈ R { 0 , 1 } 1 , B 0 = g r ( x + my ) If b = 0 , σ 0 = ( A 0 = g r ) 1 Else, σ 1 = ( A 1 = A s , B 1 = B s ) σ b b ′ b ′ = b Both σ 0 and σ 1 are distributed identically! 11 / 24

Unforgeability Use Dual-form signature technique [GLOW12]. Sign A = Sign , Sign B ( SK ∪{ g 2 } , m ) : Choose r , δ 1 , δ 2 ∈ R Z N and return m and 2 , B := g r ( x + my ) 1 g δ 1 g δ 2 σ = ( A := g r 2 ). 1 Forgery Class : V = { ( m ∗ , σ ∗ ) ∈ Z N × G 2 : Ver( PK , m ∗ , σ ∗ ) = 1 } , ◮ Type-I V I = { ( m ∗ , σ ∗ ) ∈ V : ( A ∗ ) p 1 = 1 , ( B ∗ ) p 1 = 1 } , ◮ Type-II V II = { ( m ∗ , σ ∗ ) ∈ V : ( A ∗ ) p 1 � = 1 or ( B ∗ ) p 1 � = 1 } . 12 / 24

Theorem SGH assumptions ⇒ RRS scheme is EUF-CMA secure. Proof. We use a hybrid argument. Game R : Real EUF-CMA game, here A → V , Game 0 : ∼ Game R , except A → V I , Game k : ∼ Game 0 , except 1 st k queries answered using Sign B , E event that A → V II in Game 0 . Then we prove SGH H | Adv Game R − Adv Game 0 p 1 → p 1 p 2 | ≤ Pr [ E ] ≤ Adv + 1 / N , 1 A A B SGH G | Adv Game k − 1 − Adv Game k p 1 → p 1 p 2 | ≤ Adv , 2 A A B SGH H Adv Game q p 2 → p 1 p 2 ≤ Adv . 3 A B Hence, SGH H SGH G SGH H Adv Game R p 1 → p 1 p 2 p 1 → p 1 p 2 p 2 → p 1 p 2 ≤ Adv + Adv + Adv + 1 / N . A B B B 13 / 24

Lemma SGH H p 1 → p 1 p 2 Pr [ E ] ≤ Adv + 1 / N. B Proof. C B g 1 , h 1 , h 2 , ˆ A T 1 , Y = h y x , y ∈ R Z N PK = { h 1 , X = h x 1 } SK = { g 1 , x , y } m i i ∈ [1 , q ] Sign A ( SK , m i ) → ( m i , σ i ) CRT x , y mod p 2 is random ( m ∗ , σ ∗ = ( A ∗ , B ∗ )) hidden to A S := B ∗ ( A ∗ ) − ( x + m ∗ y ) = g γ 2 − γ 1 ( x + m ∗ y ) � = 1 with non-neg prob. 2 If e ( S , ˆ T ) = 1 , then ˆ T ∈ H 1 , else ˆ T ∈ H 2 , B ∗ = g r ( x + m ∗ y ) Here A ∗ = g r 1 g γ 1 g γ 2 2 . 1 14 / 24

Lemma SGH G | Adv Game k − 1 − Adv Game k p 1 → p 1 p 2 | ≤ Adv . A A B Proof. C g 1 , g 2 , h 1 , T = g t 1 1 g t 2 B A 2 x , y ∈ R Z N 1 , Y = h y PK = { h 1 , X = h x 1 } SK = { g 1 , x , y }∪{ g 2 } m i i ∈ [1 , k − 1] Sign B ( SK , m i ) → ( m i , σ i ) CRT x , y mod p 2 is random m k A k = g t 1 1 g t 2 2 , B k = ( g t 1 1 g t 2 2 ) ( x + m k y ) ( m k , σ k = ( A k , B k )) m t Sign A ( SK , m t ) → ( m t , σ t ) t ∈ [ k + 1 , q ] ( m ∗ , σ ∗ = ( A ∗ , B ∗ )) 1 or 0 15 / 24

Lemma SGH H Adv Game q p 2 → p 1 p 2 ≤ Adv . A B Proof. C B g 2 , h 1 , h 2 , ˆ A T g τ 1 1 g τ 2 1 , Y = h y 2 , ∈ R G , x , y ∈ R Z N PK = { h 1 , X = h x 1 } SK = { x , y }∪{ g 2 } m i 2 ) r g δ ′ A i = ( g τ 1 1 g τ 2 2 , 1 i ∈ [1 , q ] 2 ) r ( x + m i y ) g δ ′ B i = ( g τ 1 1 g τ 2 2 2 Sign B ( SK , m i ) → ( m i , σ i = ( A i , B i )) ( m ∗ , σ ∗ = ( A ∗ , B ∗ )) If e ( A ∗ , ˆ T ) = 1 , then ˆ T ∈ H 2 , else ˆ T ∈ H 16 / 24

Composite To Prime-order setting Use Dual Pairing Vector Space (DPVS) [OT10] in the prime-order setting. Orthogonal property via Dual basis ( B , B ∗ ) ← Dual( λ, F 4 p ), where i =1 , B ∗ = { � B = { � b i } 4 b ∗ i } 4 i =1 . � ψ if i = j , � b i · � b ∗ j = 0 if i � = j . A ∈ GL (2) Parameter Hiding (PH) property [Lew12]: ( B , B ∗ ) ( D , D ∗ ) − → such that ( D , D ∗ ) is independent of A . ◮ Ex: � d 1 = � b 1 ,� d 2 = � b 2 , � 1 = � 1 ,� 2 = � d ∗ b ∗ d ∗ b ∗ 2 , d 4 ) ⊤ = A −⊤ ( � 4 ) ⊤ = A ( � ( � d 3 ,� b 3 ,� b 4 ) ⊤ , ( � 3 ,� 3 ,� d ∗ d ∗ b ∗ b ∗ 4 ) ⊤ . 17 / 24

Composite To Prime-order setting Decisional Subspace (DS) Assumptions : DDH H : Given g , h , h a , h b , h c , hard to decide c = ab mod p or not. DS H : g � b 1 , g � b 2 , h � 1 , h � 2 , h � 3 , h � 4 , U 1 = g µ 1 � b 1 + µ 2 � b 3 , U 2 = g µ 1 � b 2 + µ 2 � b ∗ b ∗ b ∗ b ∗ b 4 T 1 = h τ 1 � b ∗ 1 + τ 2 � b ∗ 3 , T 2 = h τ 1 � b ∗ 2 + τ 2 � b ∗ 4 , τ 2 = 0 or not. ◮ Similar to SGH H p 1 → p 1 p 2 , DS G : g � b 1 , g � b 2 , g � b 3 , g � b 4 , h � b ∗ 1 , h � b ∗ 2 , U 1 = h µ 1 � b ∗ 1 + µ 2 � b ∗ 3 , U 2 = h µ 1 � b ∗ 2 + µ 2 � b ∗ 4 , T 1 = g τ 1 � b 1 + τ 2 � b 3 , T 2 = g τ 1 � b 2 + τ 2 � b 4 , τ 2 = 0 or not. ◮ Similar to SGH H p 1 → p 1 p 2 , 18 / 24