USER SIGNER E FFICIENT T WO -M OVE B LIND S IGNATURES . . . 1 / 18 - - PowerPoint PPT Presentation

user signer
SMART_READER_LITE
LIVE PREVIEW

USER SIGNER E FFICIENT T WO -M OVE B LIND S IGNATURES . . . 1 / 18 - - PowerPoint PPT Presentation

Feb 13, 2024 836 likes •1.17k views

B LIND S IGNATURES S ECURITY M ODEL R ELATED W ORK O UR C ONSTRUCTION E FFICIENCY C OMPARISON O PEN P ROBLEMS E FFICIENT T WO -M OVE B LIND S IGNATURES IN THE C OMMON R EFERENCE S TRING M ODEL E. Ghadafi N.P. Smart Department of Computer Science,

slide-1
SLIDE 1

BLIND SIGNATURES SECURITY MODEL RELATED WORK OUR CONSTRUCTION EFFICIENCY COMPARISON OPEN PROBLEMS

EFFICIENT TWO-MOVE BLIND SIGNATURES IN

THE COMMON REFERENCE STRING MODEL

  • E. Ghadafi

N.P. Smart

Department of Computer Science, University of Bristol

Information Security Conference – ISC 2012

EFFICIENT TWO-MOVE BLIND SIGNATURES . . .

slide-2
SLIDE 2

BLIND SIGNATURES SECURITY MODEL RELATED WORK OUR CONSTRUCTION EFFICIENCY COMPARISON OPEN PROBLEMS

OUTLINE

1

BLIND SIGNATURES

2

SECURITY MODEL

3

RELATED WORK

4

OUR CONSTRUCTION

5

EFFICIENCY COMPARISON

6

OPEN PROBLEMS

EFFICIENT TWO-MOVE BLIND SIGNATURES . . .

slide-3
SLIDE 3

BLIND SIGNATURES SECURITY MODEL RELATED WORK OUR CONSTRUCTION EFFICIENCY COMPARISON OPEN PROBLEMS

OUTLINE

1

BLIND SIGNATURES

2

SECURITY MODEL

3

RELATED WORK

4

OUR CONSTRUCTION

5

EFFICIENCY COMPARISON

6

OPEN PROBLEMS

EFFICIENT TWO-MOVE BLIND SIGNATURES . . .

slide-4
SLIDE 4

BLIND SIGNATURES SECURITY MODEL RELATED WORK OUR CONSTRUCTION EFFICIENCY COMPARISON OPEN PROBLEMS

OUTLINE

1

BLIND SIGNATURES

2

SECURITY MODEL

3

RELATED WORK

4

OUR CONSTRUCTION

5

EFFICIENCY COMPARISON

6

OPEN PROBLEMS

EFFICIENT TWO-MOVE BLIND SIGNATURES . . .

slide-5
SLIDE 5

BLIND SIGNATURES SECURITY MODEL RELATED WORK OUR CONSTRUCTION EFFICIENCY COMPARISON OPEN PROBLEMS

OUTLINE

1

BLIND SIGNATURES

2

SECURITY MODEL

3

RELATED WORK

4

OUR CONSTRUCTION

5

EFFICIENCY COMPARISON

6

OPEN PROBLEMS

EFFICIENT TWO-MOVE BLIND SIGNATURES . . .

slide-6
SLIDE 6

BLIND SIGNATURES SECURITY MODEL RELATED WORK OUR CONSTRUCTION EFFICIENCY COMPARISON OPEN PROBLEMS

OUTLINE

1

BLIND SIGNATURES

2

SECURITY MODEL

3

RELATED WORK

4

OUR CONSTRUCTION

5

EFFICIENCY COMPARISON

6

OPEN PROBLEMS

EFFICIENT TWO-MOVE BLIND SIGNATURES . . .

slide-7
SLIDE 7

BLIND SIGNATURES SECURITY MODEL RELATED WORK OUR CONSTRUCTION EFFICIENCY COMPARISON OPEN PROBLEMS

OUTLINE

1

BLIND SIGNATURES

2

SECURITY MODEL

3

RELATED WORK

4

OUR CONSTRUCTION

5

EFFICIENCY COMPARISON

6

OPEN PROBLEMS

EFFICIENT TWO-MOVE BLIND SIGNATURES . . .

slide-8
SLIDE 8

BLIND SIGNATURES SECURITY MODEL RELATED WORK OUR CONSTRUCTION EFFICIENCY COMPARISON OPEN PROBLEMS

(TWO-MOVE) BLIND SIGNATURES

USER SIGNER

sk pk

EFFICIENT TWO-MOVE BLIND SIGNATURES . . . 1 / 18

slide-9
SLIDE 9

BLIND SIGNATURES SECURITY MODEL RELATED WORK OUR CONSTRUCTION EFFICIENCY COMPARISON OPEN PROBLEMS

(TWO-MOVE) BLIND SIGNATURES

USER SIGNER

sk pk

EFFICIENT TWO-MOVE BLIND SIGNATURES . . . 1 / 18

slide-10
SLIDE 10

BLIND SIGNATURES SECURITY MODEL RELATED WORK OUR CONSTRUCTION EFFICIENCY COMPARISON OPEN PROBLEMS

(TWO-MOVE) BLIND SIGNATURES

USER SIGNER

sk pk

Sig

EFFICIENT TWO-MOVE BLIND SIGNATURES . . . 1 / 18

slide-11
SLIDE 11

BLIND SIGNATURES SECURITY MODEL RELATED WORK OUR CONSTRUCTION EFFICIENCY COMPARISON OPEN PROBLEMS

(TWO-MOVE) BLIND SIGNATURES

USER SIGNER

sk pk

Sig

EFFICIENT TWO-MOVE BLIND SIGNATURES . . . 1 / 18

slide-12
SLIDE 12

BLIND SIGNATURES SECURITY MODEL RELATED WORK OUR CONSTRUCTION EFFICIENCY COMPARISON OPEN PROBLEMS

APPLICATIONS OF BLIND SIGNATURES Example applications: ◮ E-Cash: A bank signs a coin without learning its serial number (provides unlinkability between withdrawal and spend transactions). ◮ E-Voting: Authority certifies a ballot without learning its

  • content. The client cannot vote for more than one candidate.

◮ Many other applications where anonymity/privacy or unlinkability are required (Anonymous Access Control, ... etc. ).

EFFICIENT TWO-MOVE BLIND SIGNATURES . . . 2 / 18

slide-13
SLIDE 13

BLIND SIGNATURES SECURITY MODEL RELATED WORK OUR CONSTRUCTION EFFICIENCY COMPARISON OPEN PROBLEMS

ALGORITHMS OF A BLIND SIGNATURE ◮ Setup crsBS ← − SetupBS(1λ) ◮ Key Generation (skBS, pkBS) ← − KeyGenBS(crsBS) ◮ Signing (⊥, σ) ← − RequestBS(pkBS, m), IssueBS(skBS) ◮ Verification 1/0 ← − VerifyBS(pkBS, m, σ)

EFFICIENT TWO-MOVE BLIND SIGNATURES . . . 3 / 18

slide-14
SLIDE 14

BLIND SIGNATURES SECURITY MODEL RELATED WORK OUR CONSTRUCTION EFFICIENCY COMPARISON OPEN PROBLEMS

SECURITY OF BLIND SIGNATURES ◮ Blindness [JLO97,PS00]: The Signer does not learn what message he is signing nor can he link a signature to its sign request.

pkBS,skBS

RequestBS(pkBS,mb) RequestBS(pkBS,mb)

b* b {0,1}

RequestBS(pkBS,m1-b) RequestBS(pkBS,m1-b)

(σ0,σ1) or ( , ) ⟂ ⟂ m0,m1 σb σ1-b

The adversary wins if b∗ = b.

  • Malicious Keys [Oka06]: The adversary generates the keys.

EFFICIENT TWO-MOVE BLIND SIGNATURES . . . 4 / 18

slide-15
SLIDE 15

BLIND SIGNATURES SECURITY MODEL RELATED WORK OUR CONSTRUCTION EFFICIENCY COMPARISON OPEN PROBLEMS

SECURITY OF BLIND SIGNATURES ◮ Blindness [JLO97,PS00]: The Signer does not learn what message he is signing nor can he link a signature to its sign request.

pkBS,skBS

RequestBS(pkBS,mb) RequestBS(pkBS,mb)

b* b {0,1}

RequestBS(pkBS,m1-b) RequestBS(pkBS,m1-b)

(σ0,σ1) or ( , ) ⟂ ⟂ m0,m1 σb σ1-b

The adversary wins if b∗ = b.

  • Malicious Keys [Oka06]: The adversary generates the keys.

EFFICIENT TWO-MOVE BLIND SIGNATURES . . . 4 / 18

slide-16
SLIDE 16

BLIND SIGNATURES SECURITY MODEL RELATED WORK OUR CONSTRUCTION EFFICIENCY COMPARISON OPEN PROBLEMS

SECURITY OF BLIND SIGNATURES ◮ (Weak) Unforgeability [JLO97,PS00]: The User cannot output more signatures than the number of interactions with the signer.

pkBS IssueBS(skBS) IssueBS(skBS) (n times) (m1,σ1),…,(mn+1,σn+1)

The adversary wins if all σi verify and the messages are distinct.

EFFICIENT TWO-MOVE BLIND SIGNATURES . . . 5 / 18

slide-17
SLIDE 17

BLIND SIGNATURES SECURITY MODEL RELATED WORK OUR CONSTRUCTION EFFICIENCY COMPARISON OPEN PROBLEMS

RELATED WORK Some previous two-move constructions: ◮ Chaum 1983: using RSA signatures (ROM). ◮ Boldyreva 2003: using BLS signatures (ROM). ◮ Fischlin 2006: generic construction (CRS). ◮ Fuchsbauer 2009: special case instantiation of Fischlin 2006 (CRS). ◮ AHO 2010: efficient instantiation of Fischlin 2006 (CRS). ◮ MSF 2010: using Waters signatures in composite-order groups (CRS). ◮ Garg et al. 2011: generic construction (Standard Model).

EFFICIENT TWO-MOVE BLIND SIGNATURES . . . 6 / 18

slide-18
SLIDE 18

BLIND SIGNATURES SECURITY MODEL RELATED WORK OUR CONSTRUCTION EFFICIENCY COMPARISON OPEN PROBLEMS

OUR APPROACH We follow the Blind-Unblind paradigm ... USER SIGNER

sk pk

m m'←Blind(m,r) m' σ'← Sign(sk,m') σ←Unblind(σ',r)

However, we dispense with the need for random oracles by requiring a common reference string.

EFFICIENT TWO-MOVE BLIND SIGNATURES . . . 7 / 18

slide-19
SLIDE 19

BLIND SIGNATURES SECURITY MODEL RELATED WORK OUR CONSTRUCTION EFFICIENCY COMPARISON OPEN PROBLEMS

(PRIME-ORDER) BILINEAR GROUPS G1, G2, GT are finite cyclic groups of prime order q, where G1 =< P1 > and G2 =< P2 >. Pairing (e : G1 × G2 − → GT) : The function e must have the following properties: ◮ Bilinearity: ∀Q1 ∈ G1 , Q2 ∈ G2 x, y ∈ Z, we have e([x]Q1, [y]Q2) = e(Q1, Q2)xy. ◮ Non-Degeneracy: The value e(P1, P2) = 1 generates GT. ◮ The function e is efficiently computable. Type-3 [GPS08]: G1 = G2 and no efficiently computable isomorphism between G1 and G2.

EFFICIENT TWO-MOVE BLIND SIGNATURES . . . 8 / 18

slide-20
SLIDE 20

BLIND SIGNATURES SECURITY MODEL RELATED WORK OUR CONSTRUCTION EFFICIENCY COMPARISON OPEN PROBLEMS

INTRACTABILITY ASSUMPTIONS DEFINITION (LRSW ASSUMPTION [LRSW99]) Given (X ← [x]P2, Y ← [y]P2) and access to an oracle OX,Y(·) that,

  • n input fi ∈ Zq outputs (Ai, Bi, Ci) ← (Ai, [y]Ai, [x + fi · x · y]Ai), for

some random Ai ∈ G1, it is hard to output (f ∗, A∗, B∗, C∗) where f ∗ / ∈ {fi} ∪ {0}. DEFINITION (B-LRSW ASSUMPTION [CMS09]) Given (X ← [x]P2, Y ← [y]P2) and access to an oracle OB

X,Y(·) that,

  • n input Fi = [fi]P1 ∈ G1 outputs

(Ai, Bi, Ci) ← (Ai, [y]Ai, [x + fi · x · y]Ai), for some random Ai ∈ G1, it is hard to output (f ∗, A∗, B∗, C∗) where [f ∗]P1 / ∈ {Fi} ∪ {0G1}.

EFFICIENT TWO-MOVE BLIND SIGNATURES . . . 9 / 18

slide-21
SLIDE 21

BLIND SIGNATURES SECURITY MODEL RELATED WORK OUR CONSTRUCTION EFFICIENCY COMPARISON OPEN PROBLEMS

INTRACTABILITY ASSUMPTIONS DEFINITION (LRSW ASSUMPTION [LRSW99]) Given (X ← [x]P2, Y ← [y]P2) and access to an oracle OX,Y(·) that,

  • n input fi ∈ Zq outputs (Ai, Bi, Ci) ← (Ai, [y]Ai, [x + fi · x · y]Ai), for

some random Ai ∈ G1, it is hard to output (f ∗, A∗, B∗, C∗) where f ∗ / ∈ {fi} ∪ {0}. DEFINITION (B-LRSW ASSUMPTION [CMS09]) Given (X ← [x]P2, Y ← [y]P2) and access to an oracle OB

X,Y(·) that,

  • n input Fi = [fi]P1 ∈ G1 outputs

(Ai, Bi, Ci) ← (Ai, [y]Ai, [x + fi · x · y]Ai), for some random Ai ∈ G1, it is hard to output (f ∗, A∗, B∗, C∗) where [f ∗]P1 / ∈ {Fi} ∪ {0G1}.

EFFICIENT TWO-MOVE BLIND SIGNATURES . . . 9 / 18

slide-22
SLIDE 22

BLIND SIGNATURES SECURITY MODEL RELATED WORK OUR CONSTRUCTION EFFICIENCY COMPARISON OPEN PROBLEMS

INTRACTABILITY ASSUMPTIONS DEFINITION (E-LRSW ASSUMPTION (HOLDS IN GGM)) Given X ← [x]P2, Y ← [y]P2, Z ← [z]P1 and access to an oracle OE

X,Y,Z(·) that on input Fi = [fi]P1 ∈ G1 outputs

(Ai, Bi, Ci, Di) ← (Ai, [y]Ai, [x + fi · x · y]Ai, [x · y · z]Ai), for some random Ai ∈ G1, it is hard to output (fi, Ai, Bi, Ci)n+1

i=1 where fi = 0 are

distinct after interacting with OE n times.

EFFICIENT TWO-MOVE BLIND SIGNATURES . . . 10 / 18

slide-23
SLIDE 23

BLIND SIGNATURES SECURITY MODEL RELATED WORK OUR CONSTRUCTION EFFICIENCY COMPARISON OPEN PROBLEMS

BUILDING BLOCKS ◮ CL Signatures [CL04] Given the description of bilinear groups P ← SetupGrp(1λ).

KeyGen(P): Select x, y ← Zq. Set X ← [x]P2 and Y ← [y]P2. sk ← (x, y) ∈ Zp × Zp and pk ← (X, Y) ∈ G2

2.

Sign(sk, m): To sign a message m ∈ Zq, select a ← Zq, and set A ← [a]P1, B ← [y]A, and C ← [x + m · x · y]A. output σ ← (A, B, C) ∈ G3

1.

Verify(pk, m, σ): Output 1 iff e(A, Y) = e(B, P2) and e(C, P2) = e(A, X)e(B, X)m

  • Existentially unforgeable ⇒ the LRSW assumption.
  • Randomizable signatures: To randomize a signature σ, select

t ← Zq and compute σ′ ← [t]σ.

EFFICIENT TWO-MOVE BLIND SIGNATURES . . . 11 / 18

slide-24
SLIDE 24

BLIND SIGNATURES SECURITY MODEL RELATED WORK OUR CONSTRUCTION EFFICIENCY COMPARISON OPEN PROBLEMS

BUILDING BLOCKS ◮ Pedersen Commitment [Ped91]

Setup: Let G =< P > be a group of prime order q. Select Q ← G. Set pk ← (P, Q). Commit(m): To commit to a message m ∈ Zq, select r ← Zq, and set C ← [m]P + [r]Q. Opening: to open a commitment C just reveal m and r. the correctness can be checked by verifying that C = [m]P + [r]Q. Security:

Information theoretically hiding. Computationally binding ⇒ DL assumption.

EFFICIENT TWO-MOVE BLIND SIGNATURES . . . 12 / 18

slide-25
SLIDE 25

BLIND SIGNATURES SECURITY MODEL RELATED WORK OUR CONSTRUCTION EFFICIENCY COMPARISON OPEN PROBLEMS

OUR SCHEME ◮ The Idea:

1 The User sends a Pedersen commitment Co to his message to the

signer.

2 The Signer issues an E-LRSW tuple (A, B, C, D) on the

commitment Co.

3 Using the randomness used in Co, the user recovers a CL

signature (A, B, C) on m and re-randomizes it.

EFFICIENT TWO-MOVE BLIND SIGNATURES . . . 13 / 18

slide-26
SLIDE 26

BLIND SIGNATURES SECURITY MODEL RELATED WORK OUR CONSTRUCTION EFFICIENCY COMPARISON OPEN PROBLEMS

OUR SCHEME ◮ The Idea:

1 The User sends a Pedersen commitment Co to his message to the

signer.

2 The Signer issues an E-LRSW tuple (A, B, C, D) on the

commitment Co.

3 Using the randomness used in Co, the user recovers a CL

signature (A, B, C) on m and re-randomizes it.

◮ Security of the scheme:

Blindness ⇒

1

The perfect hiding property of Pedersen commitments.

2

The re-randomizability of CL signatures.

Unforgeability ⇒ the hardness of the E-LRSW assumption.

EFFICIENT TWO-MOVE BLIND SIGNATURES . . . 13 / 18

slide-27
SLIDE 27

BLIND SIGNATURES SECURITY MODEL RELATED WORK OUR CONSTRUCTION EFFICIENCY COMPARISON OPEN PROBLEMS

OUR SCHEME

SetupBS(1λ):

  • P ← SetupGrp(1λ).
  • z ∈ Zq.
  • Z ← [z]P1.
  • M := Z×

q .

  • crsBS ← (P, Z, M).
  • Output crsBS.

Request0

BS(m, pkBS):

  • r ← Zq.
  • Co ← [m]P1 + [r]Z.
  • ρ ← Co, St ← (m, r).
  • Output (ρ, St).

Request1

BS(β, St, pkBS):

  • Parse β as (A, B, C, D).
  • Parse St as (m, r).
  • C ← C − [r]D.
  • If VerifyBS(m, (A, B, C), pkBS) = 0
  • Return ⊥.
  • t ← Zq.
  • A ← [t]A, B ← [t]B, C ← [t]C.
  • σ ← (A, B, C).
  • Output σ.

KeyGenBS(P):

  • x, y ← Zq.
  • X ← [x]P2.
  • Y ← [y]P2.
  • skBS ← (x, y), pkBS ← (X, Y).
  • Output (pkBS, skBS).

IssueBS(ρ, skBS):

  • Parse ρ as Co.
  • a ← Zq.
  • A ← [a]P1
  • B ← [a · y]P1
  • C ← [a · x]P1 + [a · x · y]Co
  • D ← [a · x · y]Z.
  • β ← (A, B, C, D).
  • Output β.

VerifyBS(m, σ, pkBS):

  • Parse σ as (A, B, C).
  • If A = 0 or e(A, Y) = e(B, P2) or

e(C, P2) = e(A, X) · e(B, X)m

  • Return 0.
  • Return 1.

EFFICIENT TWO-MOVE BLIND SIGNATURES . . . 14 / 18

slide-28
SLIDE 28

BLIND SIGNATURES SECURITY MODEL RELATED WORK OUR CONSTRUCTION EFFICIENCY COMPARISON OPEN PROBLEMS

OUR SCHEME The Pros:

Standard final signatures (i.e. we do not hide the signature). Round-optimal signing protocol (i.e. two-move). No proofs of knowledge used. Short signatures of size G3

1.

Very low communication overhead: user sends one element in G1, whereas the signer sends G4

1.

Short public key of size G2

2.

Minimal reference string which is one element in G1.

EFFICIENT TWO-MOVE BLIND SIGNATURES . . . 15 / 18

slide-29
SLIDE 29

BLIND SIGNATURES SECURITY MODEL RELATED WORK OUR CONSTRUCTION EFFICIENCY COMPARISON OPEN PROBLEMS

OUR SCHEME The Cons:

Blindness holds w.r.t. honestly generated keys.

Can be overcome by requiring the signer to prove knowledge of the secret key.

The E-LRSW assumption is interactive and is thus unfalsifiable [Naor03].

EFFICIENT TWO-MOVE BLIND SIGNATURES . . . 16 / 18

slide-30
SLIDE 30

BLIND SIGNATURES SECURITY MODEL RELATED WORK OUR CONSTRUCTION EFFICIENCY COMPARISON OPEN PROBLEMS

EFFICIENCY COMPARISON

Scheme Signature Communication CRS Key User Signer Fuchsbauer09 G18

1 × G16 2

G17

1 × G16 2

G3

1 × G2 2

G7

1 × G4 2

G1 × G2 AHO10 G12

1 × G14 2

G2 G2

1 × G5 2

G10

1 × G5 2

G4

1 × G7 2

MSF10† G2 G2·||m|| G3 G||m||+2 GT Ours G3

1

G1 G4

1

G1 G2

2

† Uses composite-order groups. At 80-bit symmetric-key security, the size of elements of G is 1024 bits compared to 128 and 256 bits for G1 and G2 in prime-order groups.

EFFICIENT TWO-MOVE BLIND SIGNATURES . . . 17 / 18

slide-31
SLIDE 31

BLIND SIGNATURES SECURITY MODEL RELATED WORK OUR CONSTRUCTION EFFICIENCY COMPARISON OPEN PROBLEMS

OPEN PROBLEMS ◮ Achieving blindness w.r.t. maliciously chosen keys without degrading the efficiency or increasing the number of rounds. ◮ Constructions with similar efficiency based on falsifiable (non-interactive) intractability assumptions.

EFFICIENT TWO-MOVE BLIND SIGNATURES . . . 18 / 18

slide-32
SLIDE 32

BLIND SIGNATURES SECURITY MODEL RELATED WORK OUR CONSTRUCTION EFFICIENCY COMPARISON OPEN PROBLEMS

THE END

The End. Questions?

EFFICIENT TWO-MOVE BLIND SIGNATURES . . . 18 / 18