a group signature scheme in the generic group model · a group signature scheme in the generic...
TRANSCRIPT
A group signature scheme in the generic
group model
Remi Clarisse (joint work with Olivier Sanders)
CARAMBA seminar – January 13th, 2020
IRMAR – Univ. de Rennes
Orange Labs – Cesson-Sevigne
Table of contents
1. Building blocks
2. Introduction to group signatures
3. PS signatures
4. FHS signatures
5. Our construction
6. Comparison
1
Building blocks
Public Key Encryption
Public key encryption scheme
• Γ.Keygen(1λ)→ [sk, pk]
• Γ.Encrypt(pk,m)→ c
• Γ.Decrypt(sk, c)→ {m,⊥}
IND-CCA2 security
indistinguishability under adaptive chosen ciphertext attacks
2
IND-CCA2
Challenger
[sk, pk]
Adversary
pk
({m}, {c})b← {0, 1}c∗
({m′}, {c′})
3
IND-CCA2
Challenger
[sk, pk]
Adversary
pk
pk
({m}, {c})b← {0, 1}c∗
({m′}, {c′})
3
IND-CCA2
Challenger
[sk, pk]
Adversary
pk
{c}
{m = Decrypt(c)}
({m}, {c})
b← {0, 1}c∗
({m′}, {c′})
3
IND-CCA2
Challenger
[sk, pk]
Adversary
pk
({m}, {c})
m0,m1
c∗ = Encrypt(mb)
b← {0, 1}c∗
({m′}, {c′})
3
IND-CCA2
Challenger
[sk, pk]
Adversary
pk
({m}, {c})b← {0, 1}c∗
{c′ 6= c∗}
{m′ = Decrypt(c′)}
({m′}, {c′})
3
IND-CCA2
Challenger
[sk, pk]
Adversary
pk
({m}, {c})b← {0, 1}c∗
({m′}, {c′})
b∗
is b∗ = b?
3
Digital Signature
Digital signature scheme
• Σ.Setup(1λ)→ pp
• Σ.Keygen(pp)→ [sk, pk]
• Σ.Sign(sk,m)→ σ
• Σ.Verify(pk,m, σ)→ {0, 1}
EUF-CMA security [GMR88]
existential unforgeability under chosen message attacks
4
EUF-CMA [GMR88]
Challenger
[sk, pk]
Adversary
pk
({m}, {σ})
5
EUF-CMA [GMR88]
Challenger
[sk, pk]
Adversary
pk
pk
({m}, {σ})
5
EUF-CMA [GMR88]
Challenger
[sk, pk]
Adversary
pk
{m}
{σ = Sign(m)}
({m}, {σ})
5
EUF-CMA [GMR88]
Challenger
[sk, pk]
Adversary
pk
({m}, {σ})
m∗ 6= m,σ∗
is Verify(m∗, σ∗) = 1?
5
Zero-knowledge proof of knowledge
ZK proof of knowledge
Completeness: if the statement is true, an honest verifier will be
convinced by an honest prover
Soundness: if the statement is false, no cheating prover can
convince an honest verifier
Zero-knowledge: if the statement is true, no verifier learns
anything other than the fact that the statement is
true
6
Schnorr identification protocol (HVZK) [Sch90]
Verifier
public y = gx
Prover
secret x
commitment z = gr
random r
challenge c
random c
answer t = r + cx
check whether gt = zyc
7
Schnorr identification protocol (HVZK) [Sch90]
Verifier
public y = gx
Prover
secret x
commitment z = gr
random r
challenge c
random c
answer t = r + cx
check whether gt = zyc
7
Schnorr identification protocol (HVZK) [Sch90]
Verifier
public y = gx
Prover
secret x
commitment z = gr
random r
challenge c
random c
answer t = r + cx
check whether gt = zyc
7
Schnorr identification protocol (HVZK) [Sch90]
Verifier
public y = gx
Prover
secret x
commitment z = gr
random r
challenge c
random c
answer t = r + cx
check whether gt = zyc
7
Fiat-Shamir transform of Schnorr protocol (NIZK) [FS87]
Verifier
public y = gx
Prover
secret x
commit z = gr
challenge c = H(g, y, z)
answer t = r + cx
z, t
compute c
check whether gt = zyc
8
Fiat-Shamir transform of Schnorr protocol (NIZK) [FS87]
Verifier
public y = gx
Prover
secret x
commit z = gr
challenge c = H(g, y, z)
answer t = r + cx
z, t
compute c
check whether gt = zyc
8
Fiat-Shamir transform of Schnorr protocol (NIZK) [FS87]
Verifier
public y = gx
Prover
secret x
commit z = gr
challenge c = H(g, y, z)
answer t = r + cx
z, t
compute c
check whether gt = zyc
8
Fiat-Shamir transform of Schnorr protocol (NIZK) [FS87]
Verifier
public y = gx
Prover
secret x
commit z = gr
challenge c = H(g, y, z)
answer t = r + cx
z, t
compute c
check whether gt = zyc
8
Fiat-Shamir transform of Schnorr protocol (NIZK) [FS87]
Verifier
public y = gx
Prover
secret x
commit z = gr
challenge c = H(g, y, z)
answer t = r + cx
z, t
compute c
check whether gt = zyc
8
Signature of knowledge (SoK)
Verifier
message m
public y = gx
Prover
message m
secret x
commit z = gr
challenge c = H(g, y, z,m)
answer t = r + cx
z, t
compute c
check whether gt = zyc
9
Signature of knowledge (SoK)
Verifier
message m
public y = gx
Prover
message m
secret x
commit z = gr
challenge c = H(g, y, z,m)
answer t = r + cx
z, t
compute c
check whether gt = zyc
9
Signature of knowledge (SoK)
Verifier
message m
public y = gx
Prover
message m
secret x
commit z = gr
challenge c = H(g, y, z,m)
answer t = r + cx
z, t
compute c
check whether gt = zyc
9
Signature of knowledge (SoK)
Verifier
message m
public y = gx
Prover
message m
secret x
commit z = gr
challenge c = H(g, y, z,m)
answer t = r + cx
z, t
compute c
check whether gt = zyc
9
Signature of knowledge (SoK)
Verifier
message m
public y = gx
Prover
message m
secret x
commit z = gr
challenge c = H(g, y, z,m)
answer t = r + cx
z, t
compute c
check whether gt = zyc
9
Bilinear pairing [GPS08]
G1 = 〈g〉, G2 = 〈g〉 and GT groups of order `
map e : G1 ×G2 −→ GT
Bilinear: e(ga, gb) = e(g, g)ab
Non-degenerate: e(g, g) 6= 1GT
Computable: computable by a polynomial time algorithm
type-3: no easily computable isomorphism between G1 and
G2 in either way
10
Introduction to group signatures
Idea: sketch [BSZ05]
Group Members
Non-member
Group Manager
Opening Authority
[sk, pk, usk] [gsk, gpk]
[osk, opk]
11
Idea: security model [BMW03]
Correctness: each group member can produce valid signature
Anonymity: a valid signature cannot be tied to its issuer
Traceability: a valid signature must have been produce by a
group member and its anonymity can be lifted
Non-frameability: no group member can be falsely accused of
having produced a signature
12
Joining the group
Group Member Group Manager
[sk, pk] [gsk, gpk]
Interactive protocol
get certificate τ/usk on id register user
13
SEP framework [BMW03]
Sign: σ ← Σ.Signsk(m)
Encrypt: c← Γ.Encryptopk(σ, τ, pk)
Prove: NIZK proof π that everything is well formed
Signature on m is (c, π)
14
Bichsel et al. [BCN+10]
Remove encryption
• Randomize certificate τ ′
• SoK π on m that τ ′ certifies user
Signature on m is (τ ′, π)
15
PS signatures
Randomizable signature
PS signature [PS16]
• Σ.Setup(1λ)→ pp
pp = (G1 = 〈g〉,G2 = 〈g〉,GT , e,X = gx, X = gx)
• Σ.Keygen(pp)→ [sk = gy, pk = gy]
• Σ.Sign(sk,m)→ (σ1 = gr, σ2 = Xr(sk)rm)
• Σ.Verify(pk,m, σ)→ is e(σ1, X(pk)m) = e(σ2, g)?
Same verification equation holds for (σs1, σs2)
16
A variant of PS signatures
Remember sk = gy
Σ.Sign(gy,m)→ (σ1 = gr, σ2 = Xr/mgyr)
“Remove” Xr/m, then (σ1, σ2) = (gr, gyr) in same “projective
equivalence-class” as (g, gy)
17
FHS signatures
FHS signature on equivalence-class
Equivalence relation on G1 ×G1
(m1,m2) ∼ (n1, n2)⇐⇒ ∃r scalar, (m1,m2) = (nr1, nr2)
FHS signature scheme [FHS19]
• Σ.Setup(1λ)→ (G1 = 〈g〉,G2 = 〈g〉,GT , e)
• Σ.Keygen(pp)→ [sk, pk]
sk = (α1, α2) scalars, pk = (A1, A2) = (gα1 , gα2)
• Σ.Sign(sk, (m1,m2))→ (τ1, τ2, τ)
τ1 = (mα11 mα2
2 )t, τ2 = g1/t, τ = g1/t
• Σ.Verify(pk, (m1,m2), (τ1, τ2, τ))→ are
e(τ1, τ) = e(m1, A1)e(m2, A2) and e(τ2, g) = e(g, τ)? 18
Randomizing FHS signatures
Reminder:
• Σ.Sign(sk, (m1,m2))→ (τ1, τ2, τ)
τ1 = (mα11 mα2
2 )t, τ2 = g1/t, τ = g1/t
• Σ.Verify(pk, (m1,m2), (τ1, τ2, τ))→ are
e(τ1, τ) = e(m1, A1)e(m2, A2) and e(τ2, g) = e(g, τ)?
Pick (mr1,m
r2) ∼ (m1,m2) and a random scalar t′:
(τ1, τ2, τ) signs (m1,m2)⇒ (τ rt′
1 , τ1/t′
2 , τ1/t′) signs (mr
1,mr2)
19
Our construction
Intuition: combining PS and FHS signatures
ΣvPS .Sign(gy,m)→ (σ1, σ2) = (gr, Xr/mgyr)
• remove Xr/m: multiply σ2 by X−r/m
• so (σ1, X−r/mσ2) ∼ (g, gy)
• choose certificate to be a FHS signature on (g, gy)
ΣFHS .Sign(gsk, (g, gy))→ (τ1, τ2, τ)
Equations ΣFHS .Verify(gpk, (gr, gyr), (τ r1 , τ2, τ)) are
e(τ1, τ) = e(gr, A1)e(gyr, A2) and e(τ2, g) = e(g, τ)
on the public key (A1, A2) = (gα1 , gα2)
20
Intuition: combining PS and FHS signatures
How to really remove Xr/m from (σ1, σ2) = (gr, Xr/mgyr)?
e(τ1, τ) = e(gr, A1)e(gyr, A2)
= e(σ1, A1)e(σ2X−r/m, A2)
= e(σ1, A1)e(σ2, A2)e(g−rx/m, A2)
= e(σ1, A1)e(σ2, A2)e(σ1, B−1/m)
Add B = Xα2 to FHS public key from the PS one
21
Our group signature scheme [CS18]
• Setup(1λ)→ pp (type-3 pairing and X, X)
• GKeygen(pp)→ [gsk, gpk]
gsk = (α1, α2) scalars, gpk = (A1, A2, B) = (gα1 , gα2 , Xα2)
• upon joining, user gets (τ1, τ2, τ) certifying (g, gy): set their
group signing key to usk = (τ1, τ2, τ , gy)
• Group Manager keeps Encryptopk(gy)
• Sign(usk,m)→ (τ ′1, τ′2, τ′, σ1, σ2)
(τ ′1, τ′2, τ′) = (τ rs1 , τ
1/s2 , τ1/s) and (σ1, σ2) = (gr, Xr/mgyr)
• Verify(gpk,m, (τ ′1, τ′2, τ′, σ1, σ2)) checks whether
e(τ ′1, τ′) = e(σ1, A1B
−1/m)e(σ2, A2) and e(τ ′2, g) = e(g, τ ′)
22
Comparison
Comparison with other schemes
Scheme Size Cost
GS
model Anonymity
[BCN+10] 1664 3 e1 + 1 eT BMW selfless
[PS16] 1280 2 e1 + 1 eT BMW selfless
[DS18] 2816 5 e1 + 1 e2 BSZ CPA
[DS18]* 4608 5 e1 + 6 e2 BSZ full
[BHK+18] 4992 9 e1 + 2 e2 BMW full
Ours 2304 5 e1 + 1 e2 BSZ CPA & selfless
Ours* 2304 5 e1 + 1 e2 BMW full
Table 1: Efficiency and security comparisons (see [CS18])
23
Thank you for your attention!
23
References
Patrik Bichsel, Jan Camenisch, Gregory Neven,
Nigel P. Smart, and Bogdan Warinschi. “Get Shorty
via Group Signatures without Encryption”. In: SCN
10. Ed. by Juan A. Garay and Roberto De Prisco.
Vol. 6280. LNCS. Springer, Heidelberg, Sept. 2010,
pp. 381–398. doi:
10.1007/978-3-642-15317-4_24.
Michael Backes, Lucjan Hanzlik, Kamil Kluczniak,
and Jonas Schneider. “Signatures with Flexible Public
Key: Introducing Equivalence Classes for Public
Keys”. In: ASIACRYPT 2018, Part II. Ed. by
Thomas Peyrin and Steven Galbraith. Vol. 11273.
LNCS. Springer, Heidelberg, Dec. 2018, pp. 405–434.
doi: 10.1007/978-3-030-03329-3_14.
Mihir Bellare, Daniele Micciancio, and
Bogdan Warinschi. “Foundations of Group Signatures:
Formal Definitions, Simplified Requirements, and a
Construction Based on General Assumptions”. In:
EUROCRYPT 2003. Ed. by Eli Biham. Vol. 2656.
LNCS. Springer, Heidelberg, May 2003, pp. 614–629.
doi: 10.1007/3-540-39200-9_38.
Mihir Bellare, Haixia Shi, and Chong Zhang.
“Foundations of Group Signatures: The Case of
Dynamic Groups”. In: CT-RSA 2005. Ed. by
Alfred Menezes. Vol. 3376. LNCS. Springer,
Heidelberg, Feb. 2005, pp. 136–153. doi:
10.1007/978-3-540-30574-3_11.
Remi Clarisse and Olivier Sanders. Short Group
Signature without Random Oracles. Cryptology
ePrint Archive, Report 2018/1115.
https://eprint.iacr.org/2018/1115. 2018.
David Derler and Daniel Slamanig. “Highly-Efficient
Fully-Anonymous Dynamic Group Signatures”. In:
ASIACCS 18. Ed. by Jong Kim, Gail-Joon Ahn,
Seungjoo Kim, Yongdae Kim, Javier Lopez, and
Taesoo Kim. ACM Press, Apr. 2018, pp. 551–565.
Georg Fuchsbauer, Christian Hanser, and
Daniel Slamanig. “Structure-Preserving Signatures on
Equivalence Classes and Constant-Size Anonymous
Credentials”. In: Journal of Cryptology 32.2 (Apr.
2019), pp. 498–546. doi:
10.1007/s00145-018-9281-4.
Freepik. All avatars icons made by Freepik from
www.flaticon.com.
https://www.flaticon.com/authors/freepik.
Amos Fiat and Adi Shamir. “How to Prove Yourself:
Practical Solutions to Identification and Signature
Problems”. In: CRYPTO’86. Ed. by
Andrew M. Odlyzko. Vol. 263. LNCS. Springer,
Heidelberg, Aug. 1987, pp. 186–194. doi:
10.1007/3-540-47721-7_12.
Shafi Goldwasser, Silvio Micali, and Ronald L. Rivest.
“A Digital Signature Scheme Secure Against Adaptive
Chosen-message Attacks”. In: SIAM Journal on
Computing 17.2 (Apr. 1988), pp. 281–308.
Steven D. Galbraith, Kenneth G. Paterson, and
Nigel P. Smart. “Pairings for cryptographers”. In:
Discrete Applied Mathematics 156.16 (2008),
pp. 3113–3121. doi: 10.1016/j.dam.2007.12.010.
url:
https://doi.org/10.1016/j.dam.2007.12.010.
David Pointcheval and Olivier Sanders. “Short
Randomizable Signatures”. In: CT-RSA 2016. Ed. by
Kazue Sako. Vol. 9610. LNCS. Springer, Heidelberg,
Feb. 2016, pp. 111–126. doi:
10.1007/978-3-319-29485-8_7.
Claus-Peter Schnorr. “Efficient Identification and
Signatures for Smart Cards”. In: CRYPTO’89. Ed. by
Gilles Brassard. Vol. 435. LNCS. Springer, Heidelberg,
Aug. 1990, pp. 239–252. doi:
10.1007/0-387-34805-0_22.