Signatures with Flexible Public Key: Introducing Equivalence Classes - - PowerPoint PPT Presentation

signatures with flexible public key introducing
SMART_READER_LITE
LIVE PREVIEW

Signatures with Flexible Public Key: Introducing Equivalence Classes - - PowerPoint PPT Presentation

Nov 06, 2022 530 likes •1.11k views

Signatures with Flexible Public Key: Introducing Equivalence Classes for Public Keys Michael Backes, Lucjan Hanzlik, Kamil Kluzcniak, Jonas Schneider This Talk New primitive! Signatures with Flexible Public Key Applications to

slide-1
SLIDE 1

Signatures with Flexible Public Key: Introducing Equivalence Classes for Public Keys

Michael Backes, Lucjan Hanzlik, Kamil Kluzcniak, Jonas Schneider

slide-2
SLIDE 2

▪ New primitive! Signatures with Flexible Public Key ▪ Applications to

  • sub-linear size Ring Signatures from falsifiable assumptions without

trusted setup

  • efficient standard model Group Signatures in combination with SPS-EQ

This Talk

slide-3
SLIDE 3

Ring Signatures [Rivest-Shamir-Tauman, 2001]

slide-4
SLIDE 4

vk1 vk2 vkn

Ring

Ring Signatures [Rivest-Shamir-Tauman, 2001]

ski vki

slide-5
SLIDE 5

vk1 vk2 vkn

Ring

Ring Signatures [Rivest-Shamir-Tauman, 2001]

σ ← 𝖳𝗃𝗁𝗈(ski, m, ℛ)

ski vki

slide-6
SLIDE 6

vk1 vk2 vkn

Ring

Ring Signatures [Rivest-Shamir-Tauman, 2001]

σ ← 𝖳𝗃𝗁𝗈(ski, m, ℛ) 𝚋𝚍𝚍𝚏𝚚𝚞/𝚜𝚏𝚔𝚏𝚍𝚞 ← 𝖶𝖿𝗌𝗃𝗀𝗓(σ, m, ℛ)

ski vki

slide-7
SLIDE 7

Ring Signatures: Unforgeability [Bender-Katz-Morselli, 2006]

𝒝

slide-8
SLIDE 8

Ring Signatures: Unforgeability [Bender-Katz-Morselli, 2006]

𝒝

vk1 vk2 vkl

slide-9
SLIDE 9

Ring Signatures: Unforgeability [Bender-Katz-Morselli, 2006]

𝒝

vk1 vk2 vkl

Signing Oracle Corruption Oracle

slide-10
SLIDE 10

Ring Signatures: Unforgeability [Bender-Katz-Morselli, 2006]

𝒝

vk1 vk2 vkl

σ ← 𝖳𝗃𝗁𝗈(ski, m, ℛ)

σ

i, m, ℛ

Signing Oracle Corruption Oracle

slide-11
SLIDE 11

Ring Signatures: Unforgeability [Bender-Katz-Morselli, 2006]

𝒝

vk1 vk2 vkl

σ ← 𝖳𝗃𝗁𝗈(ski, m, ℛ)

σ

i, m, ℛ

Signing Oracle Corruption Oracle

i

ski

slide-12
SLIDE 12

Ring Signatures: Unforgeability [Bender-Katz-Morselli, 2006]

𝒝

vk1 vk2 vkl

σ ← 𝖳𝗃𝗁𝗈(ski, m, ℛ)

σ

i, m, ℛ

Signing Oracle Corruption Oracle

m*, σ*, ℛ*

i

ski

slide-13
SLIDE 13

Ring Signatures: Unforgeability [Bender-Katz-Morselli, 2006]

𝒝

vk1 vk2 vkl

σ ← 𝖳𝗃𝗁𝗈(ski, m, ℛ)

σ

i, m, ℛ

Signing Oracle Corruption Oracle

m*, σ*, ℛ*

i

ski

𝚋𝚍𝚍𝚏𝚚𝚞 ← 𝖶𝖿𝗌𝗃𝗀𝗓(σ*, m*, ℛ*)

(m*, ℛ*) never queried

  • nly honest keys in ℛ*

𝒝 wins if

slide-14
SLIDE 14

Ring Signatures: Anonymity [Bender-Katz-Morselli, 2006]

𝒝

vk1 vk2 vkl

slide-15
SLIDE 15

Ring Signatures: Anonymity [Bender-Katz-Morselli, 2006]

𝒝

vk1 vk2 vkl

σ ← 𝖳𝗃𝗁𝗈(ski, m, ℛ)

σ

i, m, ℛ

Signing Oracle

slide-16
SLIDE 16

Ring Signatures: Anonymity [Bender-Katz-Morselli, 2006]

𝒝

vk1 vk2 vkl

Challenge Oracle

i0, i1, m, ℛ σ*, ω1, …, ωl

σ* ← 𝖳𝗃𝗁𝗈(skib, m, ℛ)

b ← {0,1}

σ ← 𝖳𝗃𝗁𝗈(ski, m, ℛ)

σ

i, m, ℛ

Signing Oracle

slide-17
SLIDE 17

Ring Signatures: Anonymity [Bender-Katz-Morselli, 2006]

𝒝

vk1 vk2 vkl

̂ b

Challenge Oracle

i0, i1, m, ℛ σ*, ω1, …, ωl

σ* ← 𝖳𝗃𝗁𝗈(skib, m, ℛ)

b ← {0,1}

σ ← 𝖳𝗃𝗁𝗈(ski, m, ℛ)

σ

i, m, ℛ

Signing Oracle

slide-18
SLIDE 18

Ring Signatures: Anonymity [Bender-Katz-Morselli, 2006]

𝒝

vk1 vk2 vkl

̂ b

Challenge Oracle

i0, i1, m, ℛ σ*, ω1, …, ωl

σ* ← 𝖳𝗃𝗁𝗈(skib, m, ℛ)

b ← {0,1}

σ ← 𝖳𝗃𝗁𝗈(ski, m, ℛ)

σ

i, m, ℛ

Signing Oracle

b = ̂ b

𝒝 wins if

slide-19
SLIDE 19

▪ Standard Model security, falsifiable assumptions, no ROM ▪ Small signatures for efficiency ▪ No form of trusted setup!

Ring Signatures: Desiderata

slide-20
SLIDE 20

Ring Signatures: Generic Approach

Sign the Message Prove Ring Membership

slide-21
SLIDE 21

Ring Signatures: Generic Approach

Sign the Message Prove Ring Membership

slide-22
SLIDE 22

Ring Signatures: [Malavolta-Schröder, 2017]

slide-23
SLIDE 23

Ring Signatures: [Malavolta-Schröder, 2017]

Σ: Signature Scheme with Rerandomizable Keys σm ← Σ . 𝖳𝗃𝗁𝗈(sk′, m||ℛ) sk′ ← Σ . 𝖲𝖿𝗌𝖻𝗈𝖾𝖳𝖫(sk, r)

[Fleischhacker-Krupp-Malavolta-Simkin-S-Schröder, 2016]

slide-24
SLIDE 24

Ring Signatures: [Malavolta-Schröder, 2017]

σ = (vk′, σm, π)

Π: tailored NIZK-PoK with shared setup π ← Π . 𝖰𝗌𝗉𝗐𝖿

vk in ℛ

vk′ = Σ . 𝖲𝖿𝗌𝖻𝗈𝖾𝖶𝖫(vk, r)

( )

Σ: Signature Scheme with Rerandomizable Keys σm ← Σ . 𝖳𝗃𝗁𝗈(sk′, m||ℛ) sk′ ← Σ . 𝖲𝖿𝗌𝖻𝗈𝖾𝖳𝖫(sk, r)

[Fleischhacker-Krupp-Malavolta-Simkin-S-Schröder, 2016]

slide-25
SLIDE 25

Ring Signatures: [Malavolta-Schröder, 2017]

σ = (vk′, σm, π)

Π: tailored NIZK-PoK with shared setup π ← Π . 𝖰𝗌𝗉𝗐𝖿

vk in ℛ

vk′ = Σ . 𝖲𝖿𝗌𝖻𝗈𝖾𝖶𝖫(vk, r)

( )

Σ: Signature Scheme with Rerandomizable Keys σm ← Σ . 𝖳𝗃𝗁𝗈(sk′, m||ℛ) sk′ ← Σ . 𝖲𝖿𝗌𝖻𝗈𝖾𝖳𝖫(sk, r)

[Fleischhacker-Krupp-Malavolta-Simkin-S-Schröder, 2016]

  • No Setup
  • Security under q-Strong DH assumption + Linear-KEA (GGM)
  • O(n) signature size
slide-26
SLIDE 26

Signatures with Flexible Public Key (SFPK)

slide-27
SLIDE 27

Signatures with Flexible Public Key (SFPK)

(sk, vk) ← 𝖫𝖿𝗓𝖧𝖿𝗈(1λ)

σ ← 𝖳𝗃𝗁𝗈(sk, m) ← 𝖶𝖿𝗌𝗃𝗀𝗓(vk, σ, m)

𝚋𝚍𝚍𝚏𝚚𝚞 𝚜𝚏𝚔𝚏𝚍𝚞

slide-28
SLIDE 28

Signatures with Flexible Public Key (SFPK)

(sk, vk) ← 𝖫𝖿𝗓𝖧𝖿𝗈(1λ)

σ ← 𝖳𝗃𝗁𝗈(sk, m) ← 𝖶𝖿𝗌𝗃𝗀𝗓(vk, σ, m)

𝚋𝚍𝚍𝚏𝚚𝚞 𝚜𝚏𝚔𝚏𝚍𝚞

sk′ ← 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖳𝖫(sk, r) vk′ ← 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖶𝖫(vk, r)

vk′ ∼ vk

slide-29
SLIDE 29

Signatures with Flexible Public Key (SFPK)

(sk, vk) ← 𝖫𝖿𝗓𝖧𝖿𝗈(1λ)

σ ← 𝖳𝗃𝗁𝗈(sk, m) ← 𝖶𝖿𝗌𝗃𝗀𝗓(vk, σ, m)

𝚋𝚍𝚍𝚏𝚚𝚞 𝚜𝚏𝚔𝚏𝚍𝚞

(τ, sk, vk) ← 𝖴𝖫𝖿𝗓𝖧𝖿𝗈(1λ)

← 𝖣𝗂𝖿𝖽𝗅𝖲𝖿𝗊(τ, vk, vk′)

𝚣𝚏𝚝 𝚘𝚙

sk′ ← 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖳𝖫(sk, r) vk′ ← 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖶𝖫(vk, r)

vk′ ∼ vk

slide-30
SLIDE 30

Signatures with Flexible Public Key (SFPK)

(sk, vk) ← 𝖫𝖿𝗓𝖧𝖿𝗈(1λ)

σ ← 𝖳𝗃𝗁𝗈(sk, m) ← 𝖶𝖿𝗌𝗃𝗀𝗓(vk, σ, m)

𝚋𝚍𝚍𝚏𝚚𝚞 𝚜𝚏𝚔𝚏𝚍𝚞

(τ, sk, vk) ← 𝖴𝖫𝖿𝗓𝖧𝖿𝗈(1λ)

← 𝖣𝗂𝖿𝖽𝗅𝖲𝖿𝗊(τ, vk, vk′)

𝚣𝚏𝚝 𝚘𝚙

sk′ ← 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖳𝖫(sk, r) vk′ ← 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖶𝖫(vk, r)

vk′ ∼ vk

Example

vk, vk′ ∈ 𝔿ℓ

vk ∼ vk′ if there is r ∈ ℤ*

p

(vkr

1, …vkr ℓ) = (vk′ 1, …vk′ ℓ)

slide-31
SLIDE 31

SFPK: Unforgeability

𝒝

slide-32
SLIDE 32

SFPK: Unforgeability

𝒝

(τ, sk, vk) ← 𝖴𝖫𝖿𝗓𝖧𝖿𝗈(1λ) (τ, vk)

slide-33
SLIDE 33

SFPK: Unforgeability

𝒝

(τ, sk, vk) ← 𝖴𝖫𝖿𝗓𝖧𝖿𝗈(1λ) (τ, vk)

σ

m, r

σ ← 𝖳𝗃𝗁𝗈(sk′, m)

sk′ ← 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖳𝖫(sk, r)

slide-34
SLIDE 34

SFPK: Unforgeability

𝒝

(τ, sk, vk) ← 𝖴𝖫𝖿𝗓𝖧𝖿𝗈(1λ) (τ, vk) (vk*, m*, σ*)

σ

m, r

σ ← 𝖳𝗃𝗁𝗈(sk′, m)

sk′ ← 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖳𝖫(sk, r)

slide-35
SLIDE 35

SFPK: Unforgeability

𝒝

(τ, sk, vk) ← 𝖴𝖫𝖿𝗓𝖧𝖿𝗈(1λ) (τ, vk) (vk*, m*, σ*)

σ

m, r

σ ← 𝖳𝗃𝗁𝗈(sk′, m)

sk′ ← 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖳𝖫(sk, r)

𝚋𝚍𝚍𝚏𝚚𝚞 ← 𝖶𝖿𝗌𝗃𝗀𝗓(vk*, σ*, m*)

m* never queried

𝚣𝚏𝚝 ← 𝖣𝗂𝖿𝖽𝗅𝖲𝖿𝗊(τ, 𝗐𝗅, 𝗐𝗅*)

𝒝 wins if

slide-36
SLIDE 36

SFPK: Class-Hiding

𝒝

slide-37
SLIDE 37

SFPK: Class-Hiding

𝒝

(sk0, vk0) ← 𝖫𝖿𝗓𝖧𝖿𝗈(1λ; ω0) (sk1, vk1) ← 𝖫𝖿𝗓𝖧𝖿𝗈(1λ; ω1)

slide-38
SLIDE 38

SFPK: Class-Hiding

𝒝

(sk0, vk0) ← 𝖫𝖿𝗓𝖧𝖿𝗈(1λ; ω0) (sk1, vk1) ← 𝖫𝖿𝗓𝖧𝖿𝗈(1λ; ω1)

b ← {0,1}

slide-39
SLIDE 39

SFPK: Class-Hiding

𝒝

(sk0, vk0) ← 𝖫𝖿𝗓𝖧𝖿𝗈(1λ; ω0) (sk1, vk1) ← 𝖫𝖿𝗓𝖧𝖿𝗈(1λ; ω1)

b ← {0,1}

r ← R

sk′ ← 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖳𝖫(skb, r) vk′ ← 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖰𝖫(vkb, r)

slide-40
SLIDE 40

SFPK: Class-Hiding

𝒝

(sk0, vk0) ← 𝖫𝖿𝗓𝖧𝖿𝗈(1λ; ω0) (sk1, vk1) ← 𝖫𝖿𝗓𝖧𝖿𝗈(1λ; ω1)

b ← {0,1}

r ← R

sk′ ← 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖳𝖫(skb, r) vk′ ← 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖰𝖫(vkb, r)

(vk′, ω0, ω1)

slide-41
SLIDE 41

SFPK: Class-Hiding

𝒝

(sk0, vk0) ← 𝖫𝖿𝗓𝖧𝖿𝗈(1λ; ω0) (sk1, vk1) ← 𝖫𝖿𝗓𝖧𝖿𝗈(1λ; ω1)

b ← {0,1}

r ← R

sk′ ← 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖳𝖫(skb, r) vk′ ← 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖰𝖫(vkb, r)

(vk′, ω0, ω1)

σ

m

σ ← 𝖳𝗃𝗁𝗈(sk′, m)

slide-42
SLIDE 42

SFPK: Class-Hiding

𝒝

̂ b

(sk0, vk0) ← 𝖫𝖿𝗓𝖧𝖿𝗈(1λ; ω0) (sk1, vk1) ← 𝖫𝖿𝗓𝖧𝖿𝗈(1λ; ω1)

b ← {0,1}

r ← R

sk′ ← 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖳𝖫(skb, r) vk′ ← 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖰𝖫(vkb, r)

(vk′, ω0, ω1)

σ

m

σ ← 𝖳𝗃𝗁𝗈(sk′, m)

slide-43
SLIDE 43

SFPK: Class-Hiding

𝒝

̂ b

(sk0, vk0) ← 𝖫𝖿𝗓𝖧𝖿𝗈(1λ; ω0) (sk1, vk1) ← 𝖫𝖿𝗓𝖧𝖿𝗈(1λ; ω1)

b ← {0,1}

r ← R

sk′ ← 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖳𝖫(skb, r) vk′ ← 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖰𝖫(vkb, r)

(vk′, ω0, ω1)

σ

m

σ ← 𝖳𝗃𝗁𝗈(sk′, m)

b = ̂ b

𝒝 wins if

slide-44
SLIDE 44

𝖶𝖿𝗌𝗃𝗀𝗓

e(σ1, g2) =? e(t, g2) ⋅ e(HKPHF(m), σ3)

e(σ2, g2) =? e(g1, σ3)

𝖳𝗃𝗁𝗈

σ1 := Xy ⋅ HKPHF(m)r

r ← ℤ*

p

σ2 := gr

1

σ3 := gr

2 Instantiation

sk = (y, X) ∈ ℤp × 𝔿1

vk = (A, B, C, D, t := e(Xy, g2), KPHF)

ℤp × 𝔿1

𝔿4

1 × 𝔿T × 𝔿λ+1 1

slide-45
SLIDE 45

𝖶𝖿𝗌𝗃𝗀𝗓

e(σ1, g2) =? e(t, g2) ⋅ e(HKPHF(m), σ3)

e(σ2, g2) =? e(g1, σ3)

𝖳𝗃𝗁𝗈

σ1 := Xy ⋅ HKPHF(m)r

r ← ℤ*

p

σ2 := gr

1

σ3 := gr

2 Instantiation

sk = (y, X) ∈ ℤp × 𝔿1

vk = (A, B, C, D, t := e(Xy, g2), KPHF)

ℤp × 𝔿1

𝔿4

1 × 𝔿T × 𝔿λ+1 1

  • Unforgeable under DLIN assumption and security of PHF

(e.g. CDH)

  • Class Hiding under DDH assumption in 𝔿1
slide-46
SLIDE 46

Ring Signatures: [Malavolta-Schröder, 2017]

σ = (vk′, σm, π)

Π: tailored NIZK-PoK with shared setup π ← Π . 𝖰𝗌𝗉𝗐𝖿

vk in ℛ

vk′ = Σ . 𝖲𝖿𝗌𝖻𝗈𝖾𝖶𝖫(vk, r)

( )

Σ: Signature Scheme with Rerandomizable Keys σm ← Σ . 𝖳𝗃𝗁𝗈(sk′, m||ℛ) sk′ ← Σ . 𝖲𝖿𝗌𝖻𝗈𝖾𝖳𝖫(sk, r)

[Fleischhacker-Krupp-Malavolta-Simkin-S-Schröder, 2016]

  • No Setup
  • Security under q-Strong DH assumption + Linear-KEA (GGM)
  • O(n) signature size
slide-47
SLIDE 47

Ring Signatures: Our Construction

slide-48
SLIDE 48

Ring Signatures: Our Construction

Σ: Signature Scheme with Flexible Public Keys σm ← Σ . 𝖳𝗃𝗁𝗈(sk′, m||ℛ) sk′ ← Σ . 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖳𝖫(sk, r)

slide-49
SLIDE 49

Ring Signatures: Our Construction

Σ: Signature Scheme with Flexible Public Keys σm ← Σ . 𝖳𝗃𝗁𝗈(sk′, m||ℛ) sk′ ← Σ . 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖳𝖫(sk, r)

σ = (vk′, σm, π)

Π: perfectly sound NIWI [Groth-Ostrovsky-Sahai, 2006] π ← Π . 𝖰𝗌𝗉𝗐𝖿

vk in ℛ

vk′ = Σ . 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖶𝖫(vk, r)

( )

slide-50
SLIDE 50

Ring Signatures: Our Construction

Σ: Signature Scheme with Flexible Public Keys σm ← Σ . 𝖳𝗃𝗁𝗈(sk′, m||ℛ) sk′ ← Σ . 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖳𝖫(sk, r)

σ = (vk′, σm, π)

Π: perfectly sound NIWI [Groth-Ostrovsky-Sahai, 2006] π ← Π . 𝖰𝗌𝗉𝗐𝖿

vk in ℛ

vk′ = Σ . 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖶𝖫(vk, r)

( )

  • No need to extract randomizer from SFPK in unforgeability proof!
  • Perfectly sound NIWI without Setup + square root technique

[Chandran-Groth-Sahai, 2007] ➡ O(√n) size Ring Signatures without Setup from Standard assumptions!

slide-51
SLIDE 51

Group Signatures [Bellare-Micciancio-Warinschi, 2003]

σ ← 𝖳𝗃𝗁𝗈(gpk, ski, m) 𝚋𝚍𝚍𝚏𝚚𝚞/𝚜𝚏𝚔𝚏𝚍𝚞 ← 𝖶𝖿𝗌𝗃𝗀𝗓(gpk, σ, m)

𝒣

sk1 sk2 skn

Group

i ← 𝖯𝗊𝖿𝗈(osk, σ, m)

Anonymity

  • Signature hides

signer identity Traceability

  • Opening cannot be

evaded or subverted

gpk

msk

  • sk
slide-52
SLIDE 52

Group Signatures: Our construction

Σflex: SFPK

[Fuchsbauer-Gay, 2018]

ΣEQ: SPS-EQ

vk, vk′ ∈ 𝔿ℓ

vk ∼ vk′ if there is r ∈ ℤ*

p

(vkr

1, …vkr ℓ) = (vk′ 1, …vk′ ℓ)

}

𝖳𝖿𝗎𝗏𝗊 : 𝖳𝗃𝗁𝗈 :

slide-53
SLIDE 53

Group Signatures: Our construction

Σflex: SFPK

[Fuchsbauer-Gay, 2018]

ΣEQ: SPS-EQ

vk, vk′ ∈ 𝔿ℓ

vk ∼ vk′ if there is r ∈ ℤ*

p

(vkr

1, …vkr ℓ) = (vk′ 1, …vk′ ℓ)

}

For i ∈ [n] : (osk[i], ski, vki) ← Σflex . 𝖴𝖫𝖿𝗓𝖧𝖿𝗈(1λ) (msk, gpk[0]) ← ΣSPS . 𝖫𝖿𝗓𝖧𝖿𝗈(1λ)

(gpk[1], …, gpk[n]) ← (ΣSPS . 𝖳𝗃𝗁𝗈(msk, vk1), …, ΣSPS . 𝖳𝗃𝗁𝗈(msk, vkn))

𝖳𝖿𝗎𝗏𝗊 : 𝖳𝗃𝗁𝗈 :

slide-54
SLIDE 54

Group Signatures: Our construction

σm ← Σflex . 𝖳𝗃𝗁𝗈(sk′, m) sk′ ← Σflex . 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖳𝖫(sk, r) σ′

vk ← Σ𝖥𝖱 . 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊(gpk[0], vk′, σvk)

σ = (vk′, σm, σvk′)

Σflex: SFPK

[Fuchsbauer-Gay, 2018]

ΣEQ: SPS-EQ

vk, vk′ ∈ 𝔿ℓ

vk ∼ vk′ if there is r ∈ ℤ*

p

(vkr

1, …vkr ℓ) = (vk′ 1, …vk′ ℓ)

}

For i ∈ [n] : (osk[i], ski, vki) ← Σflex . 𝖴𝖫𝖿𝗓𝖧𝖿𝗈(1λ) (msk, gpk[0]) ← ΣSPS . 𝖫𝖿𝗓𝖧𝖿𝗈(1λ)

(gpk[1], …, gpk[n]) ← (ΣSPS . 𝖳𝗃𝗁𝗈(msk, vk1), …, ΣSPS . 𝖳𝗃𝗁𝗈(msk, vkn))

𝖳𝖿𝗎𝗏𝗊 : 𝖳𝗃𝗁𝗈 :

slide-55
SLIDE 55

Group Signatures: Our construction

σm ← Σflex . 𝖳𝗃𝗁𝗈(sk′, m) sk′ ← Σflex . 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖳𝖫(sk, r) σ′

vk ← Σ𝖥𝖱 . 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊(gpk[0], vk′, σvk)

σ = (vk′, σm, σvk′)

Σflex: SFPK

[Fuchsbauer-Gay, 2018]

ΣEQ: SPS-EQ

vk, vk′ ∈ 𝔿ℓ

vk ∼ vk′ if there is r ∈ ℤ*

p

(vkr

1, …vkr ℓ) = (vk′ 1, …vk′ ℓ)

}

For i ∈ [n] : (osk[i], ski, vki) ← Σflex . 𝖴𝖫𝖿𝗓𝖧𝖿𝗈(1λ) (msk, gpk[0]) ← ΣSPS . 𝖫𝖿𝗓𝖧𝖿𝗈(1λ)

(gpk[1], …, gpk[n]) ← (ΣSPS . 𝖳𝗃𝗁𝗈(msk, vk1), …, ΣSPS . 𝖳𝗃𝗁𝗈(msk, vkn))

𝖳𝖿𝗎𝗏𝗊 : 𝖳𝗃𝗁𝗈 :

  • DDH + co-Flex-DH ⇒ 20𝔿1 + 5𝔿2
  • GGM + co-Flex-DH ⇒ 9𝔿1 + 2𝔿2

[Fuchsbauer-Hanser-Slamanig, 2014]

slide-56
SLIDE 56

Summary

Signatures with flexible public keys: ➡ short ring signatures from weak assumptions without setup ➡ short group signatures because of compatibility with SPS-EQ ➡ generic privacy preserving building block

Thanks!

jonas.schneider@cispa-helmholtz.de ia.cr/2018/191