S ECURITY M ODEL OF DAA 2 A B LUEPRINT FOR DAA 3 B UILDING B LOCKS - - PowerPoint PPT Presentation

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA IN THE STANDARD MODEL

David Bernhard Georg Fuchsbauer Essam Ghadafi

ghadafi@cs.bris.ac.uk Department of Computer Science, University of Bristol

ACNS 2013

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . .

OUTLINE

1

BACKGROUND

2

SECURITY MODEL OF DAA

3

A BLUEPRINT FOR DAA

4

BUILDING BLOCKS

5

OUR CONSTRUCTIONS

6

EFFICIENCY COMPARISON

7

SUMMARY & OPEN PROBLEMS

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . .

OUTLINE

1

BACKGROUND

2

SECURITY MODEL OF DAA

3

A BLUEPRINT FOR DAA

4

BUILDING BLOCKS

5

OUR CONSTRUCTIONS

6

EFFICIENCY COMPARISON

7

SUMMARY & OPEN PROBLEMS

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . .

OUTLINE

1

BACKGROUND

2

SECURITY MODEL OF DAA

3

A BLUEPRINT FOR DAA

4

BUILDING BLOCKS

5

OUR CONSTRUCTIONS

6

EFFICIENCY COMPARISON

7

SUMMARY & OPEN PROBLEMS

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . .

OUTLINE

1

BACKGROUND

2

SECURITY MODEL OF DAA

3

A BLUEPRINT FOR DAA

4

BUILDING BLOCKS

5

OUR CONSTRUCTIONS

6

EFFICIENCY COMPARISON

7

SUMMARY & OPEN PROBLEMS

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . .

OUTLINE

1

BACKGROUND

2

SECURITY MODEL OF DAA

3

A BLUEPRINT FOR DAA

4

BUILDING BLOCKS

5

OUR CONSTRUCTIONS

6

EFFICIENCY COMPARISON

7

SUMMARY & OPEN PROBLEMS

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . .

OUTLINE

1

BACKGROUND

2

SECURITY MODEL OF DAA

3

A BLUEPRINT FOR DAA

4

BUILDING BLOCKS

5

OUR CONSTRUCTIONS

6

EFFICIENCY COMPARISON

7

SUMMARY & OPEN PROBLEMS

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . .

OUTLINE

1

BACKGROUND

2

SECURITY MODEL OF DAA

3

A BLUEPRINT FOR DAA

4

BUILDING BLOCKS

5

OUR CONSTRUCTIONS

6

EFFICIENCY COMPARISON

7

SUMMARY & OPEN PROBLEMS

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . .

WHAT IS DAA? A protocol standardized by TCG (Trusted Computing Group) that allows a user possessing a TPM (Trusted Platform Module) to attest to this fact to a verifier, i.e. the TPM anonymously authenticates itself to the verifier. ◮ Direct: Without a third party. ◮ Anonymous: The identity of the user is not revealed. ◮ Attestation: A proof, i.e. convinces the verifier. TPM delegates the non-critical operations to its more powerful host.

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 1

DAA

User 2

Verifier

User 1 User 4 User 3

Group

User x

Manager

Join DAA Signature

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 2

FEATURES OF DAA ◮ The user remains anonymous, i.e. verifiers do not know which TPM produced the signature. ◮ Rogue (i.e. compromised) TPMs can be traced. ◮ The user can opt to have some of his transactions (targeted at the same verifier) to be linkable. However, anonymity is still preserved.

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 3

A BIT OF HISTORY The first DAA protocol (RSA-based) was proposed by Brickell, Camenisch and Chen [BCC04] in 2004 and was standardized by TCG as TPM 1.2. Other (pairing-based) constructions followed: ◮ Brickell, Chen and Li [BCL08] 2008. ◮ Chen [C09] 2009. ◮ Chen, Morrissey and Smart [CMS09] 2009. ◮ Chen, Page and Smart [CPS10] 2010. ◮ Bernhard, Fuchsbauer, Ghadafi, Smart and Warinschi [BFG11] 2011.

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 4

PRE-DAA

To simplify the security model and constructions, [BFG11] proceed in two steps:

1 Consider a pre-DAA scheme: a fully functional DAA but the

user is regarded as one entity (i.e. not split into a powerful untrusted Host and a computationally-constrained trusted TPM).

2 Convert the pre-DAA into a DAA by delegating the non-critical

• perations to the Host without compromising the security.

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 5

SYNTAX OF A PRE-DAA SCHEME A PRE-DAA SCHEME Setup(1λ): Creates common public parameters param. GKg(param): Creates a key pair (gmpk, gmsk) for the Issuer. UKg(param): Creates a secret key sk for a user. Join(gmpk, sk), Issue(gmsk): If completed successfully, the user obtains a group signing key gsk. GSig(sk, gsk, bsn, m): Creates a signature σ on message m and basename bsn. bsn could be empty, i.e. bsn =⊥. Verify(gmpk, σ, m, bsn): Verifies a signature. Link(gmpk, m0, σ0, m1, σ1, bsn): Checks if σ0 on (m0 and bsn) and σ1 on (m1 and bsn) where bsn =⊥ are by the same user.

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 6

SYNTAX OF A PRE-DAA SCHEME A PRE-DAA SCHEME *IdentifyT(gmpk, T , sk): Checks if transcript T matchs the secret key sk. *IdentifyS(gmpk, σ, m, bsn, sk): Checks if σ was produced by the owner of sk.

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 7

SECURITY OF PRE-DAA We use the model of [BFG11]: CORRECTNESS If all parties are honest, we have that:

1 Signatures are accepted by the Verify algorithm. 2 Signatures can be traced. 3 Signatures that are linkable link.

ANONYMITY Signatures do not reveal who signed them and unlinkable signatures do not link even if the Issuer is corrupt.

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 8

SECURITY OF PRE-DAA We use the model of [BFG11]: CORRECTNESS If all parties are honest, we have that:

1 Signatures are accepted by the Verify algorithm. 2 Signatures can be traced. 3 Signatures that are linkable link.

ANONYMITY Signatures do not reveal who signed them and unlinkable signatures do not link even if the Issuer is corrupt.

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 8

SECURITY OF PRE-DAA TRACEABILITY

1 The adversary cannot output an untraceable signature. 2 The adversary cannot output two signatures which should link

but they do not. NON-FRAMEABILITY

1 The adversary cannot output a signature that traces to an honest

user who did not produce it.

2 The adversary cannot output signatures that link but they should

not.

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 9

SECURITY OF PRE-DAA TRACEABILITY

1 The adversary cannot output an untraceable signature. 2 The adversary cannot output two signatures which should link

but they do not. NON-FRAMEABILITY

1 The adversary cannot output a signature that traces to an honest

user who did not produce it.

2 The adversary cannot output signatures that link but they should

not.

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 9

GENERIC CONSTRUCTION OF PRE-DAA [BFG11] noted that all previous DAA constructions require the following tools: ◮ Randomizable Weakly Blind Signatures (RwBS)

Used by the Issuer to issue certificates as credentials when users join the group.

◮ Linkable Indistinguishable Tags (LIT)

Needed to provide the linkability of signatures when the same basename is signed by the same user.

◮ Signatures of Knowledge (SoK)

Used by users to prove they have a credential and that the signature on the basename verifies w.r.t. their certified secret key.

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 10

BLIND SIGNATURES

USER SIGNER

sk pk

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 11

BLIND SIGNATURES USER SIGNER

sk pk

Sig

...

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 11

BLIND SIGNATURES USER SIGNER

sk pk

Sig Sig

...

SECURITY REQUIREMENTS [JLO97, PS00] ◮ Blindness: An adversary (i.e. a signer) who chooses the messages, does not learn which message being signed and cannot link a signature to its signing session. ◮ Unforgeability: An adversary (i.e. a user) cannot forge new signatures.

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 11

BLIND SIGNATURES USER SIGNER

sk pk

Sig Sig

...

SECURITY REQUIREMENTS [JLO97, PS00] ◮ Blindness: An adversary (i.e. a signer) who chooses the messages, does not learn which message being signed and cannot link a signature to its signing session. ◮ Unforgeability: An adversary (i.e. a user) cannot forge new signatures.

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 11

RANDOMIZABLE WEAKLY BLIND SIGNATURES (RWBS) Similar to blind signatures but: ◮ Randomizability: Given a signature σ, anyone can produce a new signature σ′ on the same message. ◮ Weak Blindness: Same as blindness but the adversary never sees the messages ⇒ The adversary cannot tell if he was given a signature on a different message or a re-randomization of a signature on the same message.

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 12

LINKABLE INDISTINGUISHABLE TAGS (LIT) Alice Bob

sk sk

m τ←LITTag(sk,m) m, τ Accept if LITTag(sk,m)=τ

SECURITY REQUIREMENTS [BFG11] ◮ Indistinguishability: An adversary cannot distinguish between a tag on a message of his choice and a tag produced under a random key. ◮ Linkability: Two tags are identical iff both produced using the same key and are on the same message.

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 13

LINKABLE INDISTINGUISHABLE TAGS (LIT) Alice Bob

sk sk

m τ←LITTag(sk,m) m, τ Accept if LITTag(sk,m)=τ

SECURITY REQUIREMENTS [BFG11] ◮ Indistinguishability: An adversary cannot distinguish between a tag on a message of his choice and a tag produced under a random key. ◮ Linkability: Two tags are identical iff both produced using the same key and are on the same message.

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 13

SIGNATURES OF KNOWLEDGE (SOK)

Signer Verifier

I know w s.t. (w,x)∈RL

m σ←SoKSign(RL,w,x,m) m, σ Accept iff SoKVerify(σ,RL,x,m)=1

SECURITY REQUIREMENTS [CL06] ◮ Simulatability: There is a simulator who can produce signatures without knowing a witness. Those are indistinguishable from real signatures. ◮ Extractability: There is an extractor who can extract a valid witness w for the statement x from a signature σ output by the adversary (who can ask for simulated signatures).

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 14

SIGNATURES OF KNOWLEDGE (SOK)

Signer Verifier

I know w s.t. (w,x)∈RL

m σ←SoKSign(RL,w,x,m) m, σ Accept iff SoKVerify(σ,RL,x,m)=1

SECURITY REQUIREMENTS [CL06] ◮ Simulatability: There is a simulator who can produce signatures without knowing a witness. Those are indistinguishable from real signatures. ◮ Extractability: There is an extractor who can extract a valid witness w for the statement x from a signature σ output by the adversary (who can ask for simulated signatures).

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 14

OUR CONTRIBUTION

1 The first efficient signature of knowledge which does not require

random oracles.

2 The first DAA constructions without random oracles.

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 15

THE CHALLENGES The challenges in the Standard Model: ◮ LITs are much harder to construct in the standard model especially for large domain spaces.

⇒ more subtle than VRFs because they need to be deterministic.

◮ Signatures of Knowledge are harder to construct in the standard model.

⇒ Require simulation and extraction at the same time (current PoK techniques do not provide both simultaneously).

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 16

(PRIME-ORDER) BILINEAR GROUPS G1, G2, GT are finite cyclic groups of prime order q, where G1 =< P1 > and G2 =< P2 >. Pairing (e : G1 × G2 − → GT) : The function e must have the following properties: ◮ Bilinearity: ∀Q1 ∈ G1 , Q2 ∈ G2 x, y ∈ Z, we have e([x]Q1, [y]Q2) = e(Q1, Q2)xy. ◮ Non-Degeneracy: The value e(P1, P2) = 1 generates GT. ◮ The function e is efficiently computable. Type-3 [GPS08]: G1 = G2 and no efficiently computable isomorphism between G1 and G2.

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 17

LIT IN THE STANDARD MODEL We use the weakly secure signature scheme by Boneh and Boyen [BB04] (used by Dodis and Yampolskiy [DY05] to construct a VRF ). THE WEAK BONEH-BOYEN SIGNATURE SCHEME KeyGen: Select sk ← Zq and compute pk := [sk]P2. Sign: To sign m ∈ Zq where m = −sk, compute σ := [

1 sk+m]P1.

Verify: Return 1 if e(σ, pk + [m]P2) = e(P1, P2). The Idea: Without knowing the public key pk, σ is indistinguishable from another signature by a random key. The Limitation: Either: ◮ Weak-Ind: Adversary has to declare all his queries and challenge in advance. ◮ Polynomial Domain Space: ⇒ so that we can guess the challenge.

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 18

LIT IN THE STANDARD MODEL We use the weakly secure signature scheme by Boneh and Boyen [BB04] (used by Dodis and Yampolskiy [DY05] to construct a VRF ). THE WEAK BONEH-BOYEN SIGNATURE SCHEME KeyGen: Select sk ← Zq and compute pk := [sk]P2. Sign: To sign m ∈ Zq where m = −sk, compute σ := [

1 sk+m]P1.

Verify: Return 1 if e(σ, pk + [m]P2) = e(P1, P2). The Idea: Without knowing the public key pk, σ is indistinguishable from another signature by a random key. The Limitation: Either: ◮ Weak-Ind: Adversary has to declare all his queries and challenge in advance. ◮ Polynomial Domain Space: ⇒ so that we can guess the challenge.

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 18

LIT IN THE STANDARD MODEL Security: Our LIT is secure under the q-DDHI assumption [BB04]: DEFINITION (q-DDHI ASSUMPTION) Given (Pi, [x]Pi, [x2]Pi, . . . , [xq]Pi) for x ← Zq, it is hard to distinguish [ 1

x]Pi from a random element of group Gi.

We can overcome the limitation by using an interactive variant of the q-DDHI assumption [Khl10].

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 19

SOK IN THE STANDARD MODEL Our SoK is based on Groth-Sahai proofs [GS08]: G1 × G2

f

→ GT ι1 ↓↑ ρ1 ι2 ↓↑ ρ2 ιT ↓↑ ρT H1 × H2

F

− → HT The proofs work by first committing to (encrypting) the witness and then producing a proof for the statement. The system can be instantiated in either: The simulation setting ⇒ perfectly hiding proofs. The extraction setting ⇒ perfectly sound proofs. The issues:

1 Can only extract one-way function (i.e. [w]Pi) of an exponent

witness w.

2 Cannot simulate and extract at the same time.

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 20

SOK IN THE STANDARD MODEL To produce a SoK on a message m w.r.t. a statement x ∈ L, the signer proves the following modified statement:

1 x ∈ L OR 2 He has a signature on x||m that verifies w.r.t. some public key pk.

* The key sk corresponding to pk is only known to the simulator. The SoK construction is secure: Extractability: Instantiate Groth-Sahai proofs in the extraction setting (so that we can extract). Simulatability: The simulator has sk so he can satisfy the predicate by proving he has a signature on x||m.

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 21

SOK IN THE STANDARD MODEL To produce a SoK on a message m w.r.t. a statement x ∈ L, the signer proves the following modified statement:

1 x ∈ L OR 2 He has a signature on x||m that verifies w.r.t. some public key pk.

* The key sk corresponding to pk is only known to the simulator. The SoK construction is secure: Extractability: Instantiate Groth-Sahai proofs in the extraction setting (so that we can extract). Simulatability: The simulator has sk so he can satisfy the predicate by proving he has a signature on x||m.

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 21

INSTANTIATING THE SOK Need a signature scheme that is compatible with Groth-Sahai proofs. ⇒We use Waters Signature [W05] (secure under CDH+ [BFP11]). WATERS SIGNATURE SCHEME IN ASYMMETRIC GROUPS [BFP11] Setup: To sign messages of the form m = (m1, . . . , mN) ∈ {0, 1}N, choose (Q, U0, . . . , UN) ← GN+2

1

. KeyGen: Choose sk ← Zq and compute pk := [sk]P2. Sign: To sign (m1, . . . , mN) using sk, choose r ← Zq and output σ := (W1 := [pk]Q + [r](U0 + N

i=1[mi]Ui), W2 := [−r]P1,

W3 := [−r]P2). Verify: Check that e(W1, P2)e(U0 +

N

• i=1

[mi]Ui, W3) = e(Q, pk) e(W2, P2) = e(P1, W3)

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 22

RWBS IN THE STANDARD MODEL (INSTANTIATION I) Based on the NCL signature scheme [Gha11]: THE NCL SIGNATURE SCHEME KeyGen: Choose x, y ← Zq, set sk := (x, y) and pk := (X := [x]P2, Y := [y]P2). Sign: To sign (M1, M2) ∈ G1 × G2, return ⊥ if e(M1, P2) = e(P1, M2), otherwise compute σ := (A := [a]P1, B := [y]A, C := [ay]M1, D := [x](A + C)). Verify: Check that A = 0 and e(B, P2) = e(A, Y) e(C, P2) = e(B, M2) e(D, P2) = e(A + C, X)

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 23

RWBS IN THE STANDARD MODEL (INSTANTIATION I) Properties of the NCL scheme: Only M1 is needed in signing ⇒ in the RwBS we hide M2 and produce a PoK for it. Fully re-randomizable ⇒ more efficient RwBS (need not hide the signature). NCL is secure under the (interactive) DH-LRSW assumption: DEFINITION (DH-LRSW ASSUMPTION) Given ([x]P2, [y]P2) for x, y ← Zq and an oracle that on input a pair (M1, M2) ∈ G1 × G2 outputs: ⊥ if e(M1, P2) = e(P1, M2). A DH-LRSW tuple ([a]P1, [ay]P1, [ay]M1, [ax]P1 + [axy]M1) for a ← Zq otherwise. , it is hard to compute a DH-LRSW tuple for ([m′]P1, [m′]P2) that was never queried to the oracle.

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 24

RWBS IN THE STANDARD MODEL (INSTANTIATION II) Partially re-randomizable and based on the AHO scheme [AHO10]. THE AHO SIGNATURE SCHEME KeyGen:

GR, FU ← G×

2 , a, b ← Z× q .

For i = 1, . . . , k : ci, di ← Z×

q , Gi := [ci]GR, Fi := [di]FU.

cZ, dZ ← Z×

q , GZ := [cZ]GR, FZ := [dZ]FU.

Pick (A0, A1, ˜ A0, ˜ A1) s.t. e(A0, ˜ A0)e(A1, ˜ A1) = e([a]P1, GR). Pick (B0, B1, ˜ B0, ˜ B1) s.t. e(B0, ˜ B0)e(B1, ˜ B1) = e([b]P1, FU). sk := (a, b, cz, dz, (ci, di)k

i=1).

pk := (GZ, FZ, GR, FU, (Gi, Fi)k

i=1, A0, A1, ˜

A0, ˜ A1, B0, B1, ˜ B0, ˜ B1).

Sign: To sign M = (Mi)k

i=1 ∈ Gk 1, z, r, t, u, w ← Z× q , and

Compute Z := [z]P1, R := [r − czz]P1 k

i:=1[−ci]Mi,

S := [t]GR, T := [(a − r)/t]P1, U := [u − dzz]P1 k

i:=1[−di]Mi,

V := [w]FU, W := [(b − u)/w]P1. Output σ := (Z, R, S, T, U, V, W).

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 25

RWBS IN THE STANDARD MODEL (INSTANTIATION II) THE AHO SIGNATURE SCHEME Verify:

Parse σ as (Z, R, S, T, U, V, W), M as (Mi)k

i=1, and pk as

(GZ, FZ, GR, FU, (Gi, Fi)k

i=1, A0, A1, ˜

A0, ˜ A1, B0, B1, ˜ B0, ˜ B1). Check that e(Z, GZ)e(R, GR)e(T, S)

• i

e(Mi, Gi) = e(A0, ˜ A0)e(A1, ˜ A1) e(Z, FZ)e(U, FU)e(W, V)

• i

e(Mi, Fi) = e(B0, ˜ B0)e(B1, ˜ B1)

Properties of the AHO scheme: ◮ The six elements R, S, T, U, V, W are re-randomizable ⇒ in the RwBS we need to hide R, Z, U.

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 26

RWBS IN THE STANDARD MODEL (INSTANTIATION II) AHO is secure under the (non-interactive) q-SFP assumption: DEFINITION (q-SFP ASSUMPTION) Given GZ, FZ, GR, FU ∈ G2, (A, ˜ A), (B, ˜ B) ∈ G1 × G2 and q random tuples (Z, R, S, T, U, V, W) each satisfying e(A, ˜ A) = e(Z, GZ) e(R, GR) e(T, S) e(B, ˜ B) = e(Z, FZ) e(U, FU) e(W, V) , it is hard to find another such tuple for which Z is neither 0 nor equal to any of the given Z-values.

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 27

THE FIRST DAA CONSTRUCTION We instantiate the generic construction of [BFG11] using: The AHO-based RwBS. The WBB-based LIT. The SoK based on the modified Waters signature scheme [BFP11] + GS proofs.

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 28

A MORE EFFICIENT DAA CONSTRUCTION The intuition: Use the NCL-based RwBS instead of the AHO-based RwBS. Replace SoKs with standard PoKs (which are more efficient). Similarly to [G07], the weak Boneh-Boyen signature scheme (used as a LIT and a standard signature scheme) + a one-time signature scheme.

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 29

A MORE EFFICIENT DAA CONSTRUCTION OVERVIEW GKg: Give the Issuer skNCL. UKg: The user generates a secret key sk for WBB-LIT. Join, Issue:

To get cred, run the NCL-based RwBS where user only sends f1(sk) and proves knowledge of f2(sk).

GSig:

Obtain a one-time signature key pair (vkots, skots). Compute σw ← BBSign(sk, 1||vkots). τ := ∅; If bsn =⊥, compute τ ← LITTag(sk, 0||bsn). σots ← OTSSign(skots, (m, τ, bsn)). Compute a GS PoK Σ of (f1(sk), f2(sk)) s.t. :

• e(f1(sk), P2) = e(P1, f2(sk)).
• The NCL RwBS signature cred is valid on (f1(sk), f2(sk)).
• σw is a valid signature on 1||vkots under f2(sk).
• If bsn =⊥, τ is a valid tag on 0||bsn under f2(sk).

The signature is σ := (cred, τ, σw, vkots, Σ, σots).

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 30

A MORE EFFICIENT DAA CONSTRUCTION OVERVIEW Verify:

Return 1 if σots and Σ all verify correctly.

Link:

Check that both signatures verify correctly and that τ1 = τ2 both are tags on the non-empty basename bsn.

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 31

SECURITY OF OUR CONSTRUCTIONS Construction I is secure under:

SXDH, q-SFP, CDH+, and q-DDHI.

Construction II is secure under:

SXDH, DH-LRSW, q-SDH and q-DDHI.

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 32

EFFICIENCY COMPARISON Scheme Setting Model Signature Size [BFG11] Asym-3 ROM 5|G1| + 2 log(q) Construction II Asym-3 SM 25|G1| + 11|G2| Groth’s GS [G07]† Asym-3 SM 24|G1| + +15|G2| Groth’s GS [G07]† Asym-2 SM 25|G1| + 19|G2|

TABLE: Size of the signature

† Group signatures do not have the subtle linkability requirement +

• ur joining protocol involves less rounds.

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 33

SUMMARY ◮ The first efficient SoK in the standard model. ◮ The first DAA instantiations in the standard model.

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 34

OPEN PROBLEMS ◮ A LIT for large domain space which is based on non-interactive intractability assumptions or finding alternative means to realize indistinguishability and linkability needed for DAA. ◮ More efficient constructions in the standard model.

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 35

MORE DETAILS

1 D. Bernhard, G. Fuchsbauer and E. Ghadafi. Efficient Signatures

• f Knowledge and DAA in the Standard Model. Cryptology

ePrint Archive, Report 2012/475. August 2012. http://eprint.iacr.org/2012/475.pdf .

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 36

THE END

Thank you for your attention! Questions?

EFFICIENT SIGNATURES OF KNOWLEDGE AND DAA . . . 37