DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES

Transcription

1 DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES Essam Ghadafi 1 Ali El Kaafarani 2 Dalia Khader 3 1 University of Bristol, 2 University of Bath, 3 University of Luxembourg ghadafi@cs.bris.ac.uk CT-RSA 2014 DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES

2 OUTLINE 1 BACKGROUND 2 A SECURITY MODEL 3 GENERIC CONSTRUCTIONS 4 INSTANTIATIONS 5 SUMMARY DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES

3 ATTRIBUTE-BASED SIGNATURES Attribute-Based Signatures [Maji et al. 2008]. Users have attributes (e.g. Departmental Manager, Chairman, Finance Department, etc.). A user can sign a message w.r.t. a policy Ψ only if she owns attributes A s.t. Ψ(A) = 1. The verifier learns nothing other than that some signer with attributes satisfying the policy has produced the signature. Sig - Finance Dept. - Manager Chairman OR Manager AND Finance OR Supervisor AND Materials DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 1 / 21

4 APPLICATIONS OF ATTRIBUTE-BASED SIGNATURES Example applications: Attribute-Based Messaging: Recipients are assured the sender satisfies a certain policy. Leaking Secrets: Ring Signatures [RST01] allow a signer to sign a message on behalf of an ad-hoc group. ABS allow more expressive predicates for leaking a secret The leaker satisfies some policy vs. the leaker is in the ring. Many other applications:... DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 2 / 21

5 SECURITY OF ATTRIBUTE-BASED SIGNATURES Security of Attribute-Based Signatures [Maji et al. 2008] (Perfect) Privacy (Anonymity): The signature hides: 1 The identity of the signer. 2 The attributes used in the signing (i.e. how Ψ was satisfied). Unforgeability: A signer cannot forge signatures w.r.t. signing policies her attributes do not satisfy even if she colludes with other signers. DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 3 / 21

6 RELATED WORK ON ATTRIBUTE-BASED SIGNATURES Maji et al & Shahandashti and Safavi-Naini Li et al Okamoto and Takashima 2011 & Gagné et al Herranz et al DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 4 / 21

7 TRACEABLE ATTRIBUTE-BASED SIGNATURES Traceable Attribute-Based Signatures (TABS) [Escala et al. 2011]: Extend ABS by adding an anonymity revocation mechanism. A tracing authority can reveal the identity of the signer. Crucial in enforcing accountability and deterring abuse. DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 5 / 21

8 OUR CONTRIBUTION 1 A security model for Decentralized Traceable Attribute-Based Signatures (DTABS). 2 Two generic constructions for DTABS. 3 Example instantiations in the standard model. DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 6 / 21

9 DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES Tracing Authority Sig Professor at Bristol OR IACR Member DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 7 / 21

10 DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES Features of Our Model: Multiple attribute authorities, e.g. Company A, University B, Organization C, Government D, etc. Need not trust one another or even be aware of each other. Signers and attribute authorities can join the system at any time. A tracing authority can reveal the identity of the signer. Tracing correctness is publicly verifiable. DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 8 / 21

11 SECURITY OF DTABS Correctness: If all parties are honest: Signatures verify correctly. The tracing authority can identify the signer. The Judge algorithm accepts the tracing decision. DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 9 / 21

12 SECURITY OF DTABS Anonymity: Signatures do not reveal the identity of the signer or the attributes used. Add Signer Add Signer param Add Auth Add Auth Add Corrupt Auth Add Corrupt Auth Reveal Signer Key Reveal Signer Key Reveal Auth Key Reveal Auth Key (sid 0,A 0 ),(sid 1,A 1 ),m,ψ σ CH CH b {0,1} b {0,1} Trace Signature Trace Signature b * Adversary wins if: b = b. The CH oracle returns if Ψ(A 0 ) 1 or Ψ(A 1 ) 1. The Trace oracle returns if queried on σ. DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 10 / 21

13 SECURITY OF DTABS Full Unforgeability: Even if signers collude, they cannot produce a signature on behalf of a signer whose attributes do not satisfy the policy. Covers non-frameability. Add Signer Add Signer Param, tk Add Auth Add Auth Add Corrupt Auth Add Corrupt Auth Reveal Signer Key Reveal Signer Key Reveal Auth Key Reveal Auth Key Sign Sign m *, σ *, ψ *, sid *, π * Adversary wins if: σ is valid and π accepted by Judge. No corrupt subset of attributes A sid s.t. Ψ (A sid )=1. (sid,, m, σ, Ψ ) was not obtained from the signing oracle. DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 11 / 21

14 SECURITY OF DTABS Traceability: Signatures are traceable, i.e. the tracing authority can always identify the signer. Add Signer Add Signer Param, tk Add Auth Add Auth Reveal Signer Key Reveal Signer Key Sign Sign Adversary wins if all the following holds: σ is a valid signature on m w.r.t. Ψ and either: σ opens to a signer who was never added. The Judge algorithm rejects the tracing proof. m *, σ *, ψ * DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 12 / 21

15 GENERIC CONSTRUCTIONS Construction I Tools used: Two NIZK systems N IZK 1 and N IZK 2. N IZK 1 needs to be simulation-sound and a proof of knowledge. A tagged signature scheme T S: a digital signature scheme that signs a tag and a message. A digital signature scheme DS. An IND-CCA2 public key encryption scheme PKE. DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 13 / 21

16 GENERIC CONSTRUCTIONS (CONSTRUCTION I) Setup: Generate (epk, esk) for PKE, (vk, sk) for DS, crs 1 for N IZK 1, and crs 2 for N IZK 2. Set tk := esk and param := (crs 1, crs 2, vk, epk, H). Attribute Authority Join: Generate (aavk aid, assk aid ) for T S. Attribute Key Generation: To generate a key sk sid,a for attribute a for signer sid, compute sk sid,a T S.Sign(assk aid(a), sid, a). DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 14 / 21

17 GENERIC CONSTRUCTIONS (CONSTRUCTION I) Signing: To sign m w.r.t. Ψ: 1 C PKE.Enc(epk, sid). 2 Produce a proof π of A and sid that: 1 C is an encryption of sid. 2 Either owns attributes A s.t. Ψ(A) = 1 Has a valid tagged signature on (sid, a) for each a A OR Has a special digital signature on H(Ψ, m, C), i.e. a pseudo-attribute. The signature is σ := (C, π). Tracing: The tracing authority uses esk to decrypt C to obtain sid. Produces a proof π Trace of esk that decryption was done correctly. DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 15 / 21

18 GENERIC CONSTRUCTIONS Construction II Changes from Construction I: N IZK 1 need not be simulation-sound. Replace PKE with a selective-tag weakly IND-CCA tag-based encryption scheme T PKE. Need a strongly unforgeable one-time signature OT S. Another collision-resistant hash function Ĥ to hash into the tag space of T PKE. DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 16 / 21

19 GENERIC CONSTRUCTIONS (CONSTRUCTION II) Signing: To sign m w.r.t. Ψ: 1 Choose a fresh key pair (otsvk, otssk) for OT S. 2 C tbe T PKE.Enc(epk, Ĥ(otsvk), sid). 3 Produce a proof π of A and sid that: 1 C tbe is an encryption of sid under tag Ĥ(otsvk). 2 Either owns attributes A s.t. Ψ(A) = 1 Has a valid tagged signature on (sid, a) for each a A OR Has a special digital signature on H(Ψ, m, C tbe, Ĥ(otsvk)). 4 Compute σ ots OT S.Sign(otssk, (π, C tbe, otsvk)). The signature is σ := (σ ots, π, C tbe, otsvk). Tracing: The tracing authority uses esk to decrypt C tbe to obtain sid. Produces a proof π Trace of esk that decryption was done correctly. DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 17 / 21

20 GENERIC CONSTRUCTIONS (CONSTRUCTION II) Security of the Construction: Anonymity: NIZK of N IZK 1 and N IZK 2. ST-IND-CCA of T PKE. Unforgeability of OT S. Collision-resistance of H and Ĥ. Full Unforgeability: Soundness of N IZK 1 and N IZK 2. Unforgeability of T S, DS and OT S. Collision-resistance of H and Ĥ. Traceability: Soundness of N IZK 1. Unforgeability of T S and DS. DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 18 / 21

21 GENERIC CONSTRUCTIONS How to prove that one owns A s.t. Ψ(A) = 1? Use a span program: Represent Ψ by a Ψ β span matrix S. Prove you know a vector z s.t. z S = [1, 0,..., 0] {a i z i 0} satisfies Ψ. DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 19 / 21

22 INSTANTIATIONS OF CONSTRUCTION II NIZKs Groth-Sahai proofs [GS08] secure under DLIN (or SXDH). T S A variant of the automorphic signature scheme [Fuc09,Fuc10]: tag space is G 1 G 2 and message space is Z p secure under q-adhsdh and WFCDH (or q-adhsdh and AWFCDH). T PKE Kiltz [Kil06] tag-based encryption scheme secure under DLIN or (SDLIN in group G i ). DS The full Boneh-Boyen signature scheme secure under q-sdh. Need not hide the integer component. OT S The full Boneh-Boyen signature scheme secure under q-sdh. DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 20 / 21

23 SUMMARY A security model for decentralized traceable attribute-based signatures. Two generic constructions. Instantiations in the standard model. DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES 21 / 21

24 THE END Thank you for your attention! Questions? DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES