Cryptanalysis of the Structure-Preserving

Cryptanalysis of the Structure-Preserving
Signature Scheme on Equivalence Classes from
Asiacrypt 2014
Yanbin Pan
Academy of Mathematics and Systems Science,
Chinese Academy of Sciences
CT-RSA 2016, San Francisco
2016-3-3
1 / 39
Contents
1. Structure-Preserving Signature Scheme on Equivalence Classes
a. Structure-Preserving Signature Scheme on Equivalence Classes
b. Security of SPS-EQ
2. The Hanser-Slamanig SPS-EQ Scheme
a. Description of the Hanser-Slamanig SPS-EQ Scheme
b. Fuchsbauer’s Attack to Break the EUF-CMA of the Scheme
3. Our Attacks
a. Our Attacks
b. Related Work to Fix the Scheme
2 / 39
Structure-Preserving Signature
Scheme on Equivalence Classes
3 / 39
Digital Signature Scheme
I
KeyGen(1n ): Generate public key pk and private key sk;
I
Sign: Given message m, the signer computes the signature
σ = Signpk,sk (m) and publishes the pair
(m, σ).
I
Verify: the verifier accepts the message-signature pair if and only if
Verifypk (m, σ) = true.
4 / 39
Structure-Preserving Signature Scheme (SPS)
I
Proposed by Abe et al. in CRYPTO 2010;
I
Employs bilinear map;
5 / 39
Structure-Preserving Signature Scheme (SPS)
I
Proposed by Abe et al. in CRYPTO 2010;
I
Employs bilinear map;
Bilinear Map
Let G1 , G2 and GT be cyclic groups of prime order p, where G1 and
G2 are additive and GT is multiplicative. Let P and P 0 generate G1
and G2 , respectively. We call
e : G1 × G2 → GT
a bilinear map if it is efficiently computable and satisfies
I
I
For any a, b ∈ Zp , e(aP, bP 0 ) = e(P, P 0 )ab = e(bP, aP 0 ).
e(P, P 0 ) 6= 1GT .
6 / 39
Structure-Preserving Signature Scheme (SPS)
I
Proposed by Abe et al. in CRYPTO 2010;
I
Employs bilinear map;
I
The pk, m and σ consist only of group elements;
I
The signature can be verified just by deciding group membership
and by evaluating some pairing-product equations;
7 / 39
Structure-Preserving Signature Scheme (SPS)
I
Proposed by Abe et al. in CRYPTO 2010;
I
Employs bilinear map;
I
The pk, m and σ consist only of group elements;
I
The signature can be verified just by deciding group membership
and by evaluating some pairing-product equations;
I
Many applications: blind signatures, group signatures,
homomorphic signatures, tightly secure encryption...
8 / 39
SPS on Equivalence Classes (SPS-EQ)
I
Proposed by Hanser and Slamanig in Asiacrypt 2014;
I
A structure-preserving signature with message space (G∗ )` ;
I
For any message N equivalent to M, its valid signature can be
efficiently obtained by the signature of M.
9 / 39
SPS on Equivalence Classes (SPS-EQ)
I
Proposed by Hanser and Slamanig in Asiacrypt 2014;
I
A structure-preserving signature with message space (G∗ )` ;
I
For any message N equivalent to M, its valid signature can be
efficiently obtained by the signature of M.
Equivalence Relation in [HS2014]
Given a cyclic group G with order p and an integer ` > 1:
I
The equivalence relation:
R = {(M, N) ∈ (G∗ )` × (G∗ )` : ∃ρ ∈ Z∗p s.t. N = ρM}.
I
The equivalence class:
[M]R = {N ∈ (G∗ )` : ∃ρ ∈ Z∗p s.t. N = ρM}.
10 / 39
SPS on Equivalence Classes (SPS-EQ)
I
Proposed by Hanser and Slamanig in Asiacrypt 2014;
I
A structure-preserving signature with message space (G∗ )` ;
I
For any message N equivalent to M, its valid signature can be
efficiently obtained by the signature of M.
I
Used to construct an efficient multi-show attribute-based
anonymous credential system [HS2014].
11 / 39
SPS-EQ
Definition ( SPS-EQ-R)
An SPS-EQ-R scheme consists of the following polynomial-time algorithms:
I BGGenR (1κ ): Given a security parameter κ, outputs a bilinear group
description BG.
I KeyGenR (BG, `): Given BG and vector length ` > 1, outputs a key pair
(sk, pk).
I SignR (M, sk): On input a representative M of equivalence class [M]R and
secret key sk, outputs a signature σ for the equivalence class [M]R .
I ChgRepR (M, σ, ρ, pk): On input a representative M of an equivalence class
[M]R , the corresponding signature σ, a scalar ρ and a public key pk, outputs
(ρM, σ̂), where σ̂ is the signature on ρM.
I VerifyR (M, σ, pk): Given a representative M of equivalence class [M]R , a
signature σ and public key pk, outputs true if σ is a valid signature for [M]R
and false otherwise.
12 / 39
Security of SPS-EQ
Random Message Attack
Non-Adaptive CMA
Adaptive CMA
I
Unforgeability
UF-RMA
UF-NACMA
UF-ACMA
Existential Unforgeability
EUF-RMA
EUF-NACMA
EUF-ACMA
EUF-ACMA:
"
Pr
(sk, pk) ← KeyGen(1n ), (M ∗ , σ ∗ ) ← AO(sk,·) (pk) :
[M ∗ ]R has not been queried ∧ VerifyR (M ∗ , σ ∗ , pk) = true
#
≤ negl(n)
13 / 39
The Hanser-Slamanig SPS-EQ
Scheme
14 / 39
The Hanser-Slamanig SPS-EQ Scheme
I
BGGenR (1κ ): Given a security parameter κ, outputs
BG = (p, G1 , G2 , GT , P, P 0 , e).
I
R
KeyGenR (BG, `): Given ` > 1, chooses x ← Z∗p and
R
(xi )ì=1 ← (Z∗p )` , computes
sk ← (x, (xi )ì=1 ),
pk ← (X 0 , (Xi0 )ì=1 ) = (xP 0 , (xi xP 0 )ì=1 ).
15 / 39
The Hanser-Slamanig SPS-EQ Scheme
I
SignR (M, sk): On input a representative M = (Mi )ì=1 ∈ (G∗1 )` of
R
[M]R , chooses y ← Z∗p and computes
Z ←x
`
X
xi Mi ,
V ←y
i=1
`
X
xi Mi ,
(Y , Y 0 ) ← y · (P, P 0 ).
i=1
Then, outputs σ = (Z , V , Y , Y 0 ).
I
VerifyR (M, σ, pk): checks whether
`
Y
?
e(Mi , Xi0 ) = e(Z , P)
^
?
e(Z , Y 0 ) = e(V , X 0 )
^
?
e(P, Y 0 ) = e(Y , P 0 )
i=1
or not and outputs true if this holds and false otherwise.
16 / 39
Fuchsbauer’s Attack when ` = 2
1. A receives pk and has access to a signing oracle.
2. A makes a signing query (P, P) and receives the signature
(Z1 , V1 , Y1 , Y10 ).
3. A makes a signing query (Z1 , P) and receives the signature
(Z2 , V2 , Y2 , Y20 ).
4. A makes a signing query (P, Z1 ) and receives the signature
(Z3 , V3 , Y3 , Y30 ).
5. A makes a signing query (Z1 , Z2 ) and receives the signature
(Z4 , V4 , Y4 , Y40 ).
6. A outputs (Z4 , V4 , Y4 , Y40 ) as a forgery for the equivalence class
represented by (Z3 , Z1 ).
17 / 39
Some Remarks on Fuchsbauer’s attack
I
It needs 4 adaptive queries;
I
Succeeds with high probability;
I
Neglected to check whether (Z3 , Z1 ) is in (G∗1 )2 or not;
I
Break EUF-CMA just for ` = 2;
I
Amazing but hard to follow the idea. It is hard to point out which
component of the scheme is weak from his attack.
18 / 39
Our Attacks
19 / 39
Main Result
Attack Model
Security
`
RMA
Existential Unforgeability [HS14]
`≥2
NACMA
Existential Forgeability [this work]
`≥2
Existential Forgeability [Fuch14]
`=2
Universal Forgeability [this work]
`≥2
ACMA
20 / 39
Our Attacks
I
Never Fail;
I
Use less queries;
Non-Adaptive CMA
Adaptive CMA
I
`=2
2
3
`>2
3
4
Easy to understand, and provide clear hint to fix the scheme.
21 / 39
The Key Observation
I
SignR (M, sk): On input a representative M = (Mi )ì=1 ∈ (G∗1 )` of
R
[M]R , chooses y ← Z∗p and computes
Z ←x
`
X
i=1
xi Mi ,
V ←y
`
X
xi Mi ,
(Y , Y 0 ) ← y · (P, P 0 ).
i=1
Then, outputs σ = (Z , V , Y , Y 0 ).
22 / 39
The Key Observation
I
SignR (M, sk): On input a representative M = (Mi )ì=1 ∈ (G∗1 )` of
R
[M]R , chooses y ← Z∗p and computes
Z ←x
`
X
xi Mi ,
V ←y
i=1
`
X
xi Mi ,
(Y , Y 0 ) ← y · (P, P 0 ).
i=1
Then, outputs σ = (Z , V , Y , Y 0 ).
For any two messages M and M ∗ , if
`
X
i=1
xi Mi =
`
X
xi Mi∗ ,
i=1
then M and M ∗ share the same signature.
23 / 39
The Key Observation
I
SignR (M, sk): On input a representative M = (Mi )ì=1 ∈ (G∗1 )` of
R
[M]R , chooses y ← Z∗p and computes
Z ←x
`
X
V ←y
xi Mi ,
i=1
`
X
(Y , Y 0 ) ← y · (P, P 0 ).
xi Mi ,
i=1
Then, outputs σ = (Z , V , Y , Y 0 ).
Generally, for any K ∈ ker(ϕ), that is,
ϕ:
(G1 )`
(Mi )ì=1
P`
i=1 xi Ki
= 0,
→ G1
P̀
7→
xi Mi ,
i=1
M and M + K share the same signature.
24 / 39
Find a Non-Trivial K
I
SignR (M, sk): On input a representative M = (Mi )ì=1 ∈ (G∗1 )` of
R
[M]R , chooses y ← Z∗p and computes
Z ←x
`
X
i=1
xi Mi ,
V ←y
`
X
xi Mi ,
(Y , Y 0 ) ← y · (P, P 0 ).
i=1
Then, outputs σ = (Z , V , Y , Y 0 ).
25 / 39
Find a Non-Trivial K
I
SignR (M, sk): On input a representative M = (Mi )ì=1 ∈ (G∗1 )` of
R
[M]R , chooses y ← Z∗p and computes
Z ←x
`
X
i=1
xi Mi ,
V ←y
`
X
xi Mi ,
(Y , Y 0 ) ← y · (P, P 0 ).
i=1
Then, outputs σ = (Z , V , Y , Y 0 ).
Note that
K = (xx2 P, −xx1 P, 0, · · · , 0) ∈ ker(ϕ)\(0, · · · , 0).
26 / 39
Find K when ` = 2
1. A receives pk and has access to a signing oracle.
2. A first chooses any invertible matrix
a1 a2
∈ Z∗2×2
p
a3 a4
and computes its inverse
such that
b1
b3
b2
b4
b1
b3
a1
a3
b2
b4
a2
a4
∈ Z2×2
p ,
=
1
0
0
1
mod p.
27 / 39
Find K when ` = 2
3 A makes a signing query with (a1 P, a2 P) and gets its signature
(Z1 , V1 , Y1 , Y10 ).
4 A makes a signing query with (a3 P, a4 P) and gets its signature
(Z2 , V2 , Y2 , Y20 ).
5 A computes ((b3 Z1 + b4 Z2 ), −(b1 Z1 + b2 Z2 )).
We claim that
((b3 Z1 + b4 Z2 ), −(b1 Z1 + b2 Z2 )) = (xx2 P, −xx1 P).
28 / 39
Find K when ` > 2
1. A receives pk and has access to a signing oracle.
2. A makes a signing query with (P, P, P, · · · , P) and gets
(Z1 , V1 , Y1 , Y10 ).
3. A makes a signing query with (2P, P, P, · · · , P) and gets
(Z2 , V2 , Y2 , Y20 ).
4. A makes a signing query with (P, 2P, P, · · · , P) and gets
(Z3 , V3 , Y3 , Y30 ).
5. A computes (Z3 − Z1 , Z1 − Z2 , 0, · · · , 0).
We claim that
(Z3 − Z1 , Z1 − Z2 , 0, · · · , 0) = (xx2 P, −xx1 P, 0, · · · , 0).
29 / 39
The Procedure to Find K
Note that
I
The procedure to find K only involves non-adaptive queries;
I
For ` = 2, we need 2 queries;
I
For ` > 2, we need 3 queries.
30 / 39
Framework of Our Attacks
Breaking the EUF-Non-Adaptive-CMA:
I
Find K with the non-adaptive queries;
I
Output the message-signature pair (M ∗ = M + ρK , σM ), where M
has been queried in the procedure above and σM is its signature.
Breaking the UF-Adaptive-CMA:
I
Find K with the non-adaptive queries;
I
For any message M ∗ to be signed, generate M = M ∗ + ρK , make a
signing query with M and get its signature σM ;
I
Output σM as the signature of M ∗ .
31 / 39
Some Remarks
Note that we have to show
I
[M ∗ ]R has not been queried to the signing oracle;
I
Every message queried to the signing oracle must be in (G∗1 )` , that
is, every component of the message is not zero.
32 / 39
E.g.: Breaking the EUF-NA-CMA when ` = 2 (I)
a1
a3
a2
a4
∈ Z∗2×2
with its inverse
p
I
Choose any invertible matrix
b1 b2
∈ Zp2×2 .
b3 b4
I
Query with M (1) = (a1 P, a2 P) and gets σ1 = (Z1 , V1 , Y1 , Y10 ).
I
Query with M (2) = (a3 P, a4 P) and gets σ2 = (Z2 , V2 , Y2 , Y20 ).
I
A computes K = ((b3 Z1 + b4 Z2 ), −(b1 Z1 + b2 Z2 )).
33 / 39
E.g.: Breaking the EUF-NA-CMA when ` = 2 (II)
I
If K is equivalent to neither M (1) nor M (2) , output the message K
and the signature σ = (0, 0, yP, yP 0 ) for any y ∈ Z∗p .
I
If K is equivalent to M (1) , output the message M ∗ = M (2) + ρK
and the signature σ2 , where ρ ∈ {1, 2, 3} is chosen to ensure that
that M ∗ ∈ (G∗1 )2 .
I
If K is equivalent to M (2) , output the message M ∗ = M (1) + ρK
and the signature σ1 , where ρ ∈ {1, 2, 3} is chosen to ensure that
that M ∗ ∈ (G∗1 )2 .
34 / 39
There is only One Signature Essentially!
For any M 6∈ ker(ϕ),
.
[
ρ∈Zp
I
(ρM + ker(ϕ)) = G`1 .
Given any (M, σ) where M 6∈ ker(ϕ), we can forge the signature on
any message M 0 , if we could find the unique ρ such that
M 0 ∈ ρM + ker(ϕ).
35 / 39
The Weak Point and How to Fix
In [HS14]:
I
SignR (M, sk): On representative M ∈ (G∗1 )` of [M]R , chooses
R
y ← Z∗p and computes σ = (Z , V , Y , Y 0 ), where
Z ←x
`
X
i=1
xi Mi ,
V ←y
`
X
xi Mi ,
(Y , Y 0 ) ← y · (P, P 0 ).
i=1
36 / 39
The Weak Point and How to Fix
In [HS14]:
I
SignR (M, sk): On representative M ∈ (G∗1 )` of [M]R , chooses
R
y ← Z∗p and computes σ = (Z , V , Y , Y 0 ), where
Z ←x
`
X
xi Mi ,
V ←y
i=1
`
X
xi Mi ,
(Y , Y 0 ) ← y · (P, P 0 ).
i=1
In [FHS14] eprint 2014/944:
I
SignR (M, sk): On representative M ∈ (G∗1 )` of [M]R , chooses
R
y ← Z∗p and computes σ = (V , Y , Y 0 ), where
V ←y
`
X
i=1
xi M i ,
(Y , Y 0 ) ←
1
· (P, P 0 ).
y
37 / 39
Remarks about FHS14
I
The FHS14 scheme is proven to be EUF-CMA;
I
It certainly can resist our attack;
P`
It still employs the structure i=1 xi Mi .
I
I
If we can find K ∈ ker(ϕ), the scheme will be insecure, but it seems
we can not;
I
If part of the private key are leaked, such as x1 and x2 , we can find
K.
38 / 39
Thank You!
39 / 39
S HORT S TRUCTURE -P RESERVING S IGNATURES
Essam Ghadafi
[email protected]
Department of Computer Science,
University College London
CT-RSA 2016
S HORT S TRUCTURE -P RESERVING S IGNATURES
O UTLINE
1
BACKGROUND
2
O UR S CHEME
3
E FFICIENCY C OMPARISON
4
S OME A PPLICATIONS
5
S UMMARY & O PEN P ROBLEMS
S HORT S TRUCTURE -P RESERVING S IGNATURES
D IGITAL S IGNATURES
vk
sk
Sig
Signer
Verifier
Yes/No
Unforgeabiltiy: You can only sign messages if you have the signing
key
S HORT S TRUCTURE -P RESERVING S IGNATURES
1 / 19
(P RIME -O RDER ) B ILINEAR G ROUPS
G, G̃, T are finite cyclic groups of prime order p, where G = hGi and
G̃ = hG̃i
Pairing (e : G × G̃ −→ T) :
The function e must have the following properties:
Bilinearity: ∀P ∈ G , ∀Q̃ ∈ G̃, ∀x, y ∈ Z, we have
e(Px , Q̃y ) = e(P, Q̃)xy
Non-Degeneracy: The value e(G, G̃) 6= 1 generates T
The function e is efficiently computable
Type-III [GPS08]: G 6= G̃ and no efficiently computable
homomorphism between G and G̃ in either direction
S HORT S TRUCTURE -P RESERVING S IGNATURES
2 / 19
S TRUCTURE -P RESERVING S IGNATURES
Some History:
The term “Structure-Preserving” was coined by Abe et al. 2010
Earlier constructions: Groth 2006 and Green and Hohenberger
2008
Many constructions in the 3 different main types of bilinear
groups
Optimal Type-III constructions are the most efficient
S HORT S TRUCTURE -P RESERVING S IGNATURES
3 / 19
S TRUCTURE -P RESERVING S IGNATURES
What are they?
D EFINITION (A S TRUCTURE -P RESERVING S IGNATURE )
A signature scheme (defined over bilinear groups) where:
m, vk and σ are elements of G and/or G̃
Verifying signatures only involves deciding group membership
and evaluating pairing-product equations (PPE):
YY
e(Ai , B̃j )ci,j = Z,
i
j
where Ai ∈ G, B̃j ∈ G̃ and Z ∈ T are group elements appearing
in P, m, vk, σ, whereas ci,j ∈ Zp are constants
S HORT S TRUCTURE -P RESERVING S IGNATURES
4 / 19
S TRUCTURE -P RESERVING S IGNATURES
Why Structure-Preserving Signatures?
Compose well with other pairing-based schemes
• Easy to encrypt
Compose well with ElGamal/BBS linear encryption
• Easy to combine with NIZK proofs
Compose well with Groth-Sahai proofs
S HORT S TRUCTURE -P RESERVING S IGNATURES
5 / 19
A PPLICATIONS OF S TRUCTURE -P RESERVING S IGNATURES
Applications of Structure-Preserving Signatures:
Blind signatures
Group signatures
Malleable signatures
Tightly secure encryption schemes
Anonymous credentials
Oblivious transfer
Network coding
...
S HORT S TRUCTURE -P RESERVING S IGNATURES
6 / 19
E XISTING L OWER B OUNDS
Lower Bounds (for unilateral messages) in Type-III Bilinear
Groups (Abe et al. 2011):
Signatures contain at least 3 group elements
Signatures cannot be unilateral (must contain elements from both
G and G̃)
• Note: Size of elements of G̃ are at least twice as big as those of G
At least 2 PPE verification equations
S HORT S TRUCTURE -P RESERVING S IGNATURES
7 / 19
O UR C ONTRIBUTION
A new signature scheme in Type-III bilinear groups with shorter
signatures than existing ones:
• Signatures consist of 3 elements from G (i.e. unilateral)
• 2 PPE verification equations (5 pairings in total)
• Message space is the set of Diffie-Hellman pairs (Abe et
al. 2010):
The set Ĝ = {(M, Ñ)|(M, Ñ) ∈ G × G̃, e(M, G̃) = e(G, Ñ)}
More efficient instantiations of some existing cryptographic
protocols (e.g. DAA)
S HORT S TRUCTURE -P RESERVING S IGNATURES
8 / 19
O UR S CHEME
The Underlying Idea:
Can be viewed as an extension of the non-structure-preserving
scheme of Pointcheval and Sanders (CT-RSA 2016)
Can be viewed as a more efficient variant of Ghadafi (ACISP
2013) Camenisch-Lysyanskaya based structure-preserving
scheme
S HORT S TRUCTURE -P RESERVING S IGNATURES
9 / 19
O UR S CHEME
The Scheme:
KeyGen: Choose x, y ← Zp , set sk := (x, y) and
pk := (X̃ := G̃x , Ỹ := G̃y ) ∈ G̃2
Sign: To sign (M, Ñ) ∈ Ĝ,
a
a
x
y
3
• Choose a ← Z×
p , σ := (A := G , B := M , C := A · B ) ∈ G
Verify: Check that A 6= 1G and (M, Ñ) ∈ Ĝ and
e(A, Ñ) = e(B, G̃)
e(C, G̃) = e(A, X̃)e(B, Ỹ)
Randomize: Choose r ← Z×
p , return
σ 0 := (A0 := Ar , B0 := Br , C0 := Cr )
S HORT S TRUCTURE -P RESERVING S IGNATURES
10 / 19
P ROPERTIES OF THE S CHEME
Some Properties of the Scheme:
The scheme is secure in the generic group model
• ⇒ alternatively can be based on an interactive assumption
Unilateral signatures
(Perfectly) Fully re-randomizable
Only M part of the message is needed for signing
S HORT S TRUCTURE -P RESERVING S IGNATURES
11 / 19
E FFICIENCY C OMPARISON
Scheme
[GH08] a
[Fuc09]
[AFG+10] I
[AFG+10] II
[AGH+11] I
[AGH+11] II
[Gha13]
[CM14] I
[CM14] II
[CM14] III
[AGO+14] I
[AGO+14] II
[BFF15]
[Gro15] I
[Gro15] II
Ours
a
σ
G4 × G̃
G3 × G̃2
G5 × G̃2
G2 × G̃5
G2 × G̃
G2 × G̃
G4
G × G̃2
G × G̃2
G2 × G̃
G3 × G̃
G2 × G̃
G × G̃2
G × G̃2
G × G̃2
G3
Size
vk
G̃2
G × G̃
G10 × G̃4
G10 × G̃4
G × G̃3
G × G̃
G̃2
G2
G2
G̃2
G̃
G̃
G2
G
G
G̃2
P
G3
G
G
G̃
G̃
-
m
G
Ĝ
G
G̃
G × G̃
G̃
Ĝ
G̃
G̃
G
G
G
G̃
G̃
G̃
Ĝ
R?
Assumptions
Y
N
P
P
N
Y
Y
N
Y
Y
Y
N
Y
Y
N
Y
q-HLRSW
q-ADHSDH+AWFCDH
q-SFP
q-SFP
GGM
GGM
DH-LRSW
GGM
GGM
GGM
GGM
GGM
GGM
GGM
GGM
GGM
Verification
PPE
Pairing
4
8
3
9
2
12
2
12
2
7
2
5
3
7
2
5
2
6
2
6
2
6
2
6
2
5
2
6
2
7
2
5
This scheme is only secure against a random message attack.
S HORT S TRUCTURE -P RESERVING S IGNATURES
12 / 19
E FFICIENCY C OMPARISON
Comparison with schemes with the same message space
Scheme
[Fuc09]
[Gha13]
Ours
σ
G3 × G̃2
4
G
G3
Size
vk
G × G̃
G̃2
G̃2
P
G3
-
R?
Assumptions
N
Y
Y
q-ADHSDH+AWFCDH
DH-LRSW
GGM
PPE
3
3
2
Verification
Pairing
9 or (7 & 2 ECAdd)
7 or (6 & 1 ECAdd)
5
* Cost does not include checking well-formedness of the message
S HORT S TRUCTURE -P RESERVING S IGNATURES
13 / 19
G ENERIC C ONSTRUCTION OF DAA
Bernhard et al. 2013 gave a generic construction of DAA which
requires the following tools:
Randomizable Weakly Blind Signatures (RwBS)
• Used by the Issuer to issue certificates as credentials when users
join the group
Linkable Indistinguishable Tags (LIT)
• Needed to provide the linkability of signatures when the same
basename is signed by the same user
Signatures of Knowledge (SoK)
• Used by users to prove they have a credential and that the
signature on the basename verifies w.r.t. thier certified secret key
S HORT S TRUCTURE -P RESERVING S IGNATURES
14 / 19
B LIND S IGNATURES
pk
sk
USER
S HORT S TRUCTURE -P RESERVING S IGNATURES
SIGNER
15 / 19
B LIND S IGNATURES
pk
sk
...
Sig
USER
S HORT S TRUCTURE -P RESERVING S IGNATURES
SIGNER
15 / 19
B LIND S IGNATURES
pk
sk
...
Sig
Sig
USER
SIGNER
Security Requirements:
Blindness: An adversary (i.e. a signer) who chooses the
messages, does not learn which message being signed and
cannot link a signature to its signing session
Unforgeability: An adversary (i.e. a user) cannot forge new
signatures
S HORT S TRUCTURE -P RESERVING S IGNATURES
15 / 19
B LIND S IGNATURES
pk
sk
...
Sig
Sig
USER
SIGNER
Security Requirements:
Blindness: An adversary (i.e. a signer) who chooses the
messages, does not learn which message being signed and
cannot link a signature to its signing session
Unforgeability: An adversary (i.e. a user) cannot forge new
signatures
S HORT S TRUCTURE -P RESERVING S IGNATURES
15 / 19
R ANDOMIZABLE W EAKLY B LIND S IGNATURES (RW BS)
Similar to blind signatures but:
Randomizability: Given a signature σ, anyone can produce a
new signature σ 0 on the same message
Weak Blindness: Same as blindness but the adversary never
sees the messages ⇒ The adversary cannot tell if he was given a
signature on a different message or a re-randomization of a
signature on the same message
S HORT S TRUCTURE -P RESERVING S IGNATURES
16 / 19
E FFICIENT RW BS WITHOUT R ANDOM O RACLES
The Idea: Combine the new scheme with SXDH-based Groth-Sahai
proofs
Only M is needed for signing ⇒ To request a signature on
(M, Ñ), send M and a NIZKPoK π of Ñ
o
n
LUser : M, Ñ : e(G, Ñ) = e(M, G̃0 ) ∧ G̃0 · G̃ = 1G̃
The signer produces a signature σ and a NIZK proof Ω (without
knowing Ñ) for the validity of σ
n
LSigner : (A, B, M), Ã : e(G, Ã) = e(A, G̃0 )
o
∧ e(M, Ã) = e(B, G̃0 ) ∧ G̃0 · G̃ = 1G̃
Fully re-randomizable ⇒ User verifies Ω and the final signature
is a re-randomization of σ
S HORT S TRUCTURE -P RESERVING S IGNATURES
17 / 19
E FFICIENT RW BS WITHOUT R ANDOM O RACLES
The Idea: Combine the new scheme with SXDH-based Groth-Sahai
proofs
Only M is needed for signing ⇒ To request a signature on
(M, Ñ), send M and a NIZKPoK π of Ñ
o
n
LUser : M, Ñ : e(G, Ñ) = e(M, G̃0 ) ∧ G̃0 · G̃ = 1G̃
The signer produces a signature σ and a NIZK proof Ω (without
knowing Ñ) for the validity of σ
n
LSigner : (A, B, M), Ã : e(G, Ã) = e(A, G̃0 )
o
∧ e(M, Ã) = e(B, G̃0 ) ∧ G̃0 · G̃ = 1G̃
Fully re-randomizable ⇒ User verifies Ω and the final signature
is a re-randomization of σ
S HORT S TRUCTURE -P RESERVING S IGNATURES
17 / 19
E FFICIENT RW BS WITHOUT R ANDOM O RACLES
The Idea: Combine the new scheme with SXDH-based Groth-Sahai
proofs
Only M is needed for signing ⇒ To request a signature on
(M, Ñ), send M and a NIZKPoK π of Ñ
o
n
LUser : M, Ñ : e(G, Ñ) = e(M, G̃0 ) ∧ G̃0 · G̃ = 1G̃
The signer produces a signature σ and a NIZK proof Ω (without
knowing Ñ) for the validity of σ
n
LSigner : (A, B, M), Ã : e(G, Ã) = e(A, G̃0 )
o
∧ e(M, Ã) = e(B, G̃0 ) ∧ G̃0 · G̃ = 1G̃
Fully re-randomizable ⇒ User verifies Ω and the final signature
is a re-randomization of σ
S HORT S TRUCTURE -P RESERVING S IGNATURES
17 / 19
E FFICIENT RW BS WITHOUT R ANDOM O RACLES
The Idea: Combine the new scheme with SXDH-based Groth-Sahai
proofs
Only M is needed for signing ⇒ To request a signature on
(M, Ñ), send M and a NIZKPoK π of Ñ
o
n
LUser : M, Ñ : e(G, Ñ) = e(M, G̃0 ) ∧ G̃0 · G̃ = 1G̃
The signer produces a signature σ and a NIZK proof Ω (without
knowing Ñ) for the validity of σ
n
LSigner : (A, B, M), Ã : e(G, Ã) = e(A, G̃0 )
o
∧ e(M, Ã) = e(B, G̃0 ) ∧ G̃0 · G̃ = 1G̃
Fully re-randomizable ⇒ User verifies Ω and the final signature
is a re-randomization of σ
S HORT S TRUCTURE -P RESERVING S IGNATURES
17 / 19
E FFICIENT RW BS WITHOUT R ANDOM O RACLES
Security of the RwBS Scheme:
Unforgeability of the SPS Scheme + SXDH
Efficiency of the RwBS Scheme:
Scheme
Signature
Bernhard et al. 2013 I
Ours
G4
G3
S HORT S TRUCTURE -P RESERVING S IGNATURES
PPE
3
2
Verification
Pairing
7 or (6 & 1 ECAdd)
5
18 / 19
S UMMARY & O PEN P ROBLEMS
Summary:
• A new unilateral SPS scheme with short signatures
• More efficient instantiations of building blocks for DAA without
random oracles
Open Problems:
• More efficient constructions of unilateral structure-preserving
signatures
• Constructions based on standard assumptions (e.g. DDH, DLIN,
etc.)
• (Constant-size?) constructions for a vector of Diffie-Hellman
pairs
S HORT S TRUCTURE -P RESERVING S IGNATURES
19 / 19
T HE E ND
Thank you for your attention!
Questions?
S HORT S TRUCTURE -P RESERVING S IGNATURES

Download Report

Cryptanalysis of the Structure-Preserving

Paperzz.com

Your Paperzz