![Page 1: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/1.jpg)
Short Traceable Signatures Based on
Bilinear Pairings
Seung Geol Choi
Columbia Universityjoint work with
Moti YungColumbia University
Kunsoo ParkSeoul National
University
![Page 2: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/2.jpg)
Contents
Overview of Traceable Signatures Motivation Preliminaries ZK for SDH Representation Construction Security Conclusion
![Page 3: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/3.jpg)
Overview of Traceable Signatures
![Page 4: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/4.jpg)
Traceable Signatures
Can be regarded as an extension of group signatures. Provides all the operations of group
signatures- setup, join, sign, verify, open
Provides stronger revocation of anonymity- tracing (reveal, trace)
Provides claiming (claim, claim_verify)
![Page 5: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/5.jpg)
Why do we need traceable sig.? Consider following setting:
Anonymous Users Typical Abstract Large System:
Many users Many remote verification points. Users issue signatures that get aggregated and
verified in remote points.
![Page 6: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/6.jpg)
Scenario #1:
Authority
Verification Points
Tracing Request:“open signature”
![Page 7: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/7.jpg)
Scenario #2
Authority
Verification Points
TracingRequest:
“USER X” needs to be traced
Using the opening mechanism from scenario #1:all signatures must be aggregated and the Authoritywill have to Open all to discover the ones signed by user X
![Page 8: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/8.jpg)
Shortcomings of group sig. Signatures from remote verification points must
be aggregated. Load Balancing Concerns Authority must open all signatures thus
severely (and unnecessarily) violating the privacy of many users. Privacy Concerns
Authority is typically a distributed entity so that opening requires the collaboration of many agents. Efficiency Concerns
Outcome: Scenario #1 is insufficient for dealing with the above tracing request.
![Page 9: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/9.jpg)
Scenario #3
User wantsto claim a signature as his
![Page 10: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/10.jpg)
Features of Traceable Sig.(1) Anonymity
A user (group member) signs on behalf of the group.
Verification is done using the group’s public-key.
Claiming A user can claim his own signature.
![Page 11: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/11.jpg)
Features of Traceable Sig.(1) Revocation of Anonymity
The group manager can open a problematic signature and find out who signed it.
The tracing agents can trace all the signatures of a suspicious user.
![Page 12: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/12.jpg)
Motivation
![Page 13: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/13.jpg)
Motivation
Previous constructions were quite long. [KTY04] : 1206 bytes [NS04]: 917 bytes
Adapt the short group signature [BBS04] to traceable signature. Ours: 362 bytes
1.5 ~ 3 times the length of the RSA sig.
![Page 14: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/14.jpg)
Basic Tools
![Page 15: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/15.jpg)
Three main basic tools
Bilinear Pairings One more SDH (Strong Diffie-Hellman)
representation problem Linear Encryption Scheme
![Page 16: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/16.jpg)
Basic Tools – Bilinear Pairings G1, G2, GT : cyclic groups of prime order p
P1 , P2 : generator of G1 , G2
ψ: G2 G1 (isomorphism mapping)
Def: Bilinear pairing e : G1 x G2 GT is: Bilinear:
e(aP1, bP2) = e(P1, P2)ab for all a, b Z Non-degenerate:
e(P1, P2) ≠ 1
Efficiently computable
![Page 17: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/17.jpg)
Basic Tools – One More SDH Representation Problem (1)
SDH Representation Given P1, P2, Q, R where Q G1 , R = γP2 SDH Representation:
(A, x, t) s.t. A = (xP1 + Q)/ (t+γ) or equivalently e(A, tP2+R) = e(xP1 + Q,
P2)
One more SDH representation problem Given K SDH representations, output another
valid SDH representation
![Page 18: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/18.jpg)
Basic Tools – One More SDH Representation Problem (2)
Under q-SDH Assumption, One more representation problem is hard.
q-SDH Assumption [BB04] The following q-SDH problem is hard:
P1, P2, γP2, γ2P2, …, γqP2 ? (A, x) s.t. (γ +x)A = P1 where A G1 , x Zp
![Page 19: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/19.jpg)
Basic Tools – Linear Encryption [BBS04] (1) Keys:
Encryption Key: X, Y, Z G1
Decryption Key: ξ1, ξ2 s.t. ξ1 X = Z, ξ2 Y=Z
Encryption/Decryption E(M) = ( r1X, r2Y, M+(r1+r2)Z ) D(C1, C2, C3) = C3 – ξ1C1 – ξ2C2
![Page 20: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/20.jpg)
Basic Tools – Linear Encryption [BBS04] (2) Semantic Security:
Under DLDH (Decisional Linear Diffie-Hellman) Assumption [BBS04], linear encryption is semantically secure.
DLDH Assumption The following problem is hard:
Given X, Y, Z, aX, bY, cZc = a + b? or c is randomly chosen?
![Page 21: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/21.jpg)
ZK for SDH Representation
![Page 22: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/22.jpg)
Basic Idea
Why do we need this? Come up with zk proof for the rep,
and use the proof as a sig (FS transform) Anonymity
The rep is a witness of a proof a signing key
![Page 23: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/23.jpg)
Basic Setting
Proof: PK{(A,x,t): e(xP1 + Q, P2) = (A, tP2+R)} Instance: P1, Q, P2, R
Where P1 (gen. of G1), Q (random point) P2 (gen. of G2), R (= γP2)
Prover’s aux input (SDH rep./witness): (A, x, t) s.t. e(xP1 + Q, P2) = (A, tP2+R)
Other Public Parameters For linear enc. : X, Y, Z (gen. of G1) Etc. : W (gen. of G2)
![Page 24: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/24.jpg)
ZK for SDH Representation (1) Prover constructs T1, … T5:
T1 = r1X, T2 = r2Y, T3 = A + (r1+r2)Z (linear enc. of A)
T4 = r3W, T5 = e(P1, T4)x (DLP of x )
Sub-proof PK{(a1, a2, b1, b2, u, v):
T1 = a1X, T2 = a2Y, uT1 = b1X, uT2 = b2Y, T5 = e(P1, T4)v , e (T3, P2)u e(T3, R) = e(Z, P2) (b1+b2) e(Z, R) (a1+a2) e(P1, P2)v e(Q, P2) }
![Page 25: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/25.jpg)
ZK for SDH Representation (2) Exists a Simulator (i.e. it is ZK)
T1, …, T5 : From semantic security of linear enc:
- Pick a random A’- T1 = r1X, T2 = r2Y, T3 = A’ + (r1+r2)Z
From DDH:- pick a random x’ - T4 = r3W, T5 = e(P1, T4)x’
Indistinguishable from the original transcript Sub-Proof:
Runs the simulator of Sub-Proof
![Page 26: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/26.jpg)
ZK for SDH Representation (3) Exists an extractor (i.e. it is POK)
Sub-Proof: Simple 3-move honest verifier DLP ZK-POK exists an extractor for the Sub-Proof
Using the extractor of DLP proof, we can also extract an SDH Rep.
Specifically Let (a1, a2, b1, b2, u, v) be the extracted witness. b1 + b2 = u(a1 + a2)
![Page 27: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/27.jpg)
ZK for SDH Representation (4)
e (T3, P2)u e(T3, R) = e(Z, P2) (b1+b2) e(Z, R) (a1+a2) e(P1, P2)v e(Q, P2)
e(T3, uP2+R) = e(Z, (b1+b2)P2+(a1+a2) R) • e(vP1+Q, P2)
e(T3, uP2+R) / e(Z, u(a1+a2)P2+(a1+a2) R) = e(vP1+Q, P2)
e(T3, uP2+R) / e((a1+a2)Z, uP2+ R) = e(vP1+Q, P2)
e(T3 - (a1+a2)Z, uP2+ R) = e(vP1+Q, P2)
If we Let A = T3 – (a1+a2)Z, e(A, uP2+ R) = e(vP1+Q, P2)
(A, u, v) is an SDH rep.
![Page 28: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/28.jpg)
Construction
![Page 29: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/29.jpg)
Procedures of Traceable sig. Setup Join/Iss Sign/Verify Open Reveal/Trace Claim/Claim_Verify
![Page 30: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/30.jpg)
Construction - Setup
Generate public parameters for ZK for SDH Rep. P1, Q, P2, R, X, Y, Z, W
For SDH rep. : P1, Q, P2, R For linear enc. : X, Y, Z s.t. ξ1 X = Z, ξ2 Y=Z Etc. : W
The group manager’s private key:(γ, ξ1, ξ2) γ : for the generation of SDH rep (join proc.) ξ1, ξ2 : dec. key for linear enc. (opening)
![Page 31: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/31.jpg)
Construction – Join/Iss
Interactive Protocol between a user (Join) and the group manager (Iss)
Ui (user i) GM : xiP1
GM Ui: (Ai, ti) s.t. e(Ai, tiP2+ R) = e(xiP1+Q, P2)
Note that GM can generate (Ai, ti) without knowing the value xi. Let Ci = xiP1
A = (Ci + Q)/ (t+γ)
Ui now has an SDH rep: (Ai, xi, ti) GM stores the joining record: (Ai, Ci, ti)
![Page 32: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/32.jpg)
Construction – Sign/Verify (1) Big Picture of ZK Protocol for SDH Rep:
3 move honest verifier proof for DLP Instance: T1, …, T5
P (Prover) V (Verifier): B1, …, B6
V P : c P V : sa1, sa2, sb1, sb2, su, sv V : checks if sa1, sa2, sb1, sb2, su, sv are consistent.
![Page 33: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/33.jpg)
Construction – Sign/Verify (2)
Details T1 = r1X, T2 = r2Y, T3 = A + (r1+r2)Z
T4 = r3W, T5 = e(P1, T4)x
d1 = r1t , d2 = r2t B1 = br1X, B2 = br2X,
B3 = btT1 – bd1X, B4 = btT2 – bd2YB5 = e(P1, T4) bx B6 = e(T3, P2)bt e(Z, P2)-bd1-bd2 e(Z, R)-br1-br2 e(P1, P2)-bx
sr1 = br1 + cr1, sr2 = br2 + cr2,
sd1 = bd1 + cd1, sd2 = bd2 + cd2,
sx = bx + cx, st = bt + ct,
![Page 34: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/34.jpg)
Construction – Sign/Verify (3) Apply the variant of Fiat-Shamir to the
protocol (Schnorr type sig.) Sign:
Replace B1, …, B6 of the verifier with hash function: c = H(m, T1, …, T5, B1, …, B6)
The signature will be:(T1, … ,T5, c, sr1, sr2, sr1, sr2, st, sx )
362 bytes: T5 = 1024 bits, all others 170 bits. Verification:
construct B’1, …, B’6 from the signature. check if H(m, T1, …, T5, B’1, …, B’6) =? c.
![Page 35: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/35.jpg)
Construction – Open
Given a signature: (T1, … ,T5, c, sr1, sr2, sr1, sr2, st, sx )
The GM use his decryption key for linear enc. to recover A from T1, T2, T3. T1 = r1X, T2 = r2Y, T3 = A + (r1+r2)Z Dec(T1, T2, T3) = T3 – ξ1T1 – ξ2T2 = A Look up the user j from the join records
{(Ai, Ci, ti)} such that Aj = A
![Page 36: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/36.jpg)
Construction – Tracing a user (Reveal/Trace)
Reveal Given the identity j of a certain user Uj ,
returns an information to be used for tracing The GM returns Cj from his join record (Aj, Cj, tj).
Trace Given Cj (from Reveal) the tracing info of Uj,
and a sig. (T1, … ,T5, c, sr1, sr2, sr1, sr2, st, sx ), decides whether it’s Uj’s sig. or not. e(Cj, T4) =? T5 ( Note that T5 = e(P1, T4)x )
![Page 37: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/37.jpg)
Construction - Claiming a Sig.(Claim/Claim_Verify) Claim:
Given a sig. (T1, … ,T5, c, sr1, sr2, sr1, sr2, st, sx )
The signer returns a NIZK proof.PK{ y: T5 = e(P1, T4)y}
Claim_Verify: Verify the proof.
![Page 38: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/38.jpg)
Security
![Page 39: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/39.jpg)
Security Model [KTY04]
There are three kind of attacks Misidentification: the adv. forges a valid
signature that is opened/traced to no one. Framing: the adv. forges a valid signature
that is opened/traced to an innocent user even if the adv. corrupts the GM.
Anonymity: the adv. distinguishes a sig. of user A from a sig. of user B.
The adv. is allowed to access oracles.
![Page 40: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/40.jpg)
Oracles
Returns thePublic-key
Returns theGM’s privatekey
Executes a joindialog internally
Executes a Iss procedure.(Adv is playing the role of user. Oracle is playing the role of GM.)
Executes a Join procedure.(Adv is playing the role of GM. Oracle is playing the role of user.)
Given <i>, returns the tracing info. Ci.
Given <i, m>, returnsa signature on m by the i-th user
QY
Qs
Qp-join
Qa-join
Qb-join
Qsig Qreveal
![Page 41: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/41.jpg)
Misidentification attack
Adv Oracles
Forges a sig. satisfying • it opens to none of the controlled group or• it traces to none of the controlled group.
Represents the system
collectively: good users and GM
Secure against Misidentification from the hardness of one-more SDH rep.
problem
QY, Qp-join, Qa-join, Qsig, Qreveal
![Page 42: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/42.jpg)
Framing attack
Adv Oracles
Forges a sig. satisfying• it opens to an innocent user or• it traces to an innocent user.
Represents the system
collectively: good users and GM
Secure against Framing from the hardness of DLP.
QY, QS, Qb-join, Qsig
T1 = r1X, T2 = r2Y, T3 = A + (r1+r2)Z T4 = r3W, T5 = e(P1, T4)x
![Page 43: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/43.jpg)
Anonymity attackAdv Oracles
Selects two usersi0 i1 (by name) Pick b randomly from
{0,1}Generate a sig. σ of ib
σGuess b
i0, i1
QY, Qp-join, Qa-join, Qsig, Qreveal
• The adv is not allowed to call Qreveal(i0) or Qreveal(i1) before or after i0 and i1 are chosen.
Secure against Anonymity from semantic security of linear encryption
and the DDH
T1 = r1X, T2 = r2Y, T3 = A + (r1+r2)Z T4 = r3W, T5 = e(P1, T4)x
![Page 44: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/44.jpg)
Security of Our scheme
Theorem : Under the q-SDH and DLDH assumption, our scheme is secure in the random oracle model.
![Page 45: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/45.jpg)
Conclusion
![Page 46: Short Traceable Signatures Based on Bilinear Pairings](https://reader035.vdocuments.us/reader035/viewer/2022062309/56814903550346895db639b7/html5/thumbnails/46.jpg)
Conclusion
Invented a New Technical Tool One more SDH rep. problem based on q-
SDH assumption Constructed a Short Scheme
Ours: 362 bytes 1.5 ~ 3 times the length of the RSA sig.
[KTY04] : 1206 bytes, [NS04]: 917 bytes Proved the security formally