FORMALIZING GROUP BLIND SIGNATURES... PRACTICAL CONSTRUCTIONS WITHOUT RANDOM ORACLES. Essam Ghadafi ACISP 2013

Transcription

1 FORMALIZING GROUP BLIND SIGNATURES AND PRACTICAL CONSTRUCTIONS WITHOUT RANDOM ORACLES Essam Ghadafi University of Bristol ACISP 2013 FORMALIZING GROUP BLIND SIGNATURES...

2 OUTLINE 1 BACKGROUND 2 SECURITY MODEL 3 BUILDING BLOCKS 4 OUR CONSTRUCTIONS 5 FULL ANONYMITY 6 SUMMARY & OPEN PROBLEMS FORMALIZING GROUP BLIND SIGNATURES...

3 OUTLINE 1 BACKGROUND 2 SECURITY MODEL 3 BUILDING BLOCKS 4 OUR CONSTRUCTIONS 5 FULL ANONYMITY 6 SUMMARY & OPEN PROBLEMS FORMALIZING GROUP BLIND SIGNATURES...

4 OUTLINE 1 BACKGROUND 2 SECURITY MODEL 3 BUILDING BLOCKS 4 OUR CONSTRUCTIONS 5 FULL ANONYMITY 6 SUMMARY & OPEN PROBLEMS FORMALIZING GROUP BLIND SIGNATURES...

5 OUTLINE 1 BACKGROUND 2 SECURITY MODEL 3 BUILDING BLOCKS 4 OUR CONSTRUCTIONS 5 FULL ANONYMITY 6 SUMMARY & OPEN PROBLEMS FORMALIZING GROUP BLIND SIGNATURES...

6 OUTLINE 1 BACKGROUND 2 SECURITY MODEL 3 BUILDING BLOCKS 4 OUR CONSTRUCTIONS 5 FULL ANONYMITY 6 SUMMARY & OPEN PROBLEMS FORMALIZING GROUP BLIND SIGNATURES...

7 OUTLINE 1 BACKGROUND 2 SECURITY MODEL 3 BUILDING BLOCKS 4 OUR CONSTRUCTIONS 5 FULL ANONYMITY 6 SUMMARY & OPEN PROBLEMS FORMALIZING GROUP BLIND SIGNATURES...

8 GROUP BLIND SIGNATURES Group Signatures [CH91] preserve the anonymity of the signer. Blind Signatures [Cha83] preserve the privacy of the message to be signed. Group Blind Signatures [LZ98] combine properties of the above and thus preserve both the anonymity of the signer + the privacy of the message. FORMALIZING GROUP BLIND SIGNATURES... 1

9 GROUP BLIND SIGNATURES ok ik Opener Issuer gpk User Group FORMALIZING GROUP BLIND SIGNATURES... 2

10 GROUP BLIND SIGNATURES ok ik Opener Issuer gpk User Group FORMALIZING GROUP BLIND SIGNATURES... 2

11 GROUP BLIND SIGNATURES ok ik Opener Issuer gpk Sig User Group FORMALIZING GROUP BLIND SIGNATURES... 2

12 GROUP BLIND SIGNATURES ok ik Opener Issuer gpk Sig User Group FORMALIZING GROUP BLIND SIGNATURES... 2

13 HISTORY AND RELATED WORK The primitive which combines the properties of a blind signature [Cha83] and a group signature [CH91] was introduced by Lysyanskaya and Zulfikar [LZ98]. Existing constructions: Lysyanskaya and Zulfikar, Based on Camenisch-Stadler group signatures [CL97]. K. Q. Nguyen, Y. Mu, and V. Varadharajan, Uses divertible zero-knowledge proofs [OO90]. FORMALIZING GROUP BLIND SIGNATURES... 3

14 APPLICATIONS OF GROUP BLIND SIGNATURES Group blind signatures provide bi-directional privacy and are thus useful for applications where such a requirement is needed. Example applications: Distributed e-cash, e.g. [LZ98]: The e-coin reveals neither the identity of its holder nor that of the issuing bank/branch. Other applications include: multi-authority e-voting and e-auction systems. FORMALIZING GROUP BLIND SIGNATURES... 4

15 OUR CONTRIBUTION A formal security model for the primitive. A generic construction. The first instantiations without random oracles. Other useful building blocks and observations. FORMALIZING GROUP BLIND SIGNATURES... 5

16 SECURITY DEFINITION CHALLENGES The signing protocol is blind, i.e. the message is not known to the signer and the signature is not well defined, so: 1 How to define Full Anonymity, i.e. CCA2 Anonymity? How to identify the challenge signature? 2 How to define non-frameability? 3 How to extend blindness to the group setting? FORMALIZING GROUP BLIND SIGNATURES... 6

17 SYNTAX OF GROUP BLIND SIGNATURES A GROUP BLIND SIGNATURE GKg(1 λ ): Outputs gpk, ik and ok. UKg: Outputs a pair of personal secret/public keys (ssk[i], spk[i]) for a signer. Join(gpk, i, ssk[i]), Issue(ik, i, spk[i]) : If successful, Signer i becomes a member and obtains a group signing key gsk[i]. Obtain(gpk, m), Sign(gsk[i]) : If successful, the user obtains a signature Σ; Otherwise, it outputs. GVf(gpk, m, Σ): Verifies if Σ is valid on the message m. Open(gpk, ok, reg, m, Σ): Returns the identity of the signer plus a proof τ. Judge(gpk, i, spk[i], m, Σ, τ): Verifies the Opener s decision. FORMALIZING GROUP BLIND SIGNATURES... 7

18 SECURITY OF GROUP BLIND SIGNATURES Correctness: If all parties are honest, we have that: Signatures are accepted by the GVf algorithm. The Opener can identify the signer. The Judge algorithm accepts the Opener s decision. FORMALIZING GROUP BLIND SIGNATURES... 8

19 SECURITY OF GROUP BLIND SIGNATURES Anonymity: Signatures do not reveal who signed them. gpk,ik Open Open SSK SSK ModifyReg ModifyReg... CrptS CrptS i 0, i 1 Ch Ch b {0,1} b {0,1} SndToS SndToS b * Adversary wins if: b = b. Similarly to IND-RCCA [CKN03], the Open oracle returns if the signature opens to i 0 or i 1. FORMALIZING GROUP BLIND SIGNATURES... 9

20 SECURITY OF GROUP BLIND SIGNATURES Traceability: The adversary cannot output an untraceable signature. AddS AddS gpk,ok CrptS CrptS SndToI SndToI ReadReg ReadReg SSK SSK Σ,m Adversary wins if all the following holds: Σ verifies on m. Either Σ does not open to a signer in the group or Judge does not accept the Opener s decision on Σ. FORMALIZING GROUP BLIND SIGNATURES... 10

21 SECURITY OF GROUP BLIND SIGNATURES Non-Frameability: The adversary cannot output a signature that traces to an honest member who did not produce it. gpk,ik,ok CrptS CrptS SndToS SndToS ModifyReg ModifyReg SSK SSK OSign... OSign id,σ 1,m 1,...,Σ n+1,m n+1 Adversary wins if all the following holds: i {1,..., n + 1}, Σ i verifies on m i, opens to id and the opening is accepted by Judge. The adversary asked for only n signatures by signer id. If weak unforgeability, the messages are distinct. FORMALIZING GROUP BLIND SIGNATURES... 11

22 SECURITY OF GROUP BLIND SIGNATURES Blindness: Group members do not learn the message being signed. gpk,ik Open Open SSK SSK ModifyReg ReadReg ModifyReg ReadReg CrptS CrptS SndToS SndToS m 0,m 1 (Σ 0,Σ 1 ) or (, ) b * b {0,1} Obtain(gpk,m Obtain(gpk,m b ) b ) Obtain(gpk,m Obtain(gpk,m 1-b ) 1-b ) Σ b Σ 1-b Adversary wins if: b = b. If strong unforgeability, the Open oracle returns if (m, Σ) = (m b, Σ b ) or (m, Σ) = (m 1 b, Σ 1 b ). If weak unforgeability, the Open oracle returns if m {m 0, m 1 }. FORMALIZING GROUP BLIND SIGNATURES... 12

23 CONSTRUCTION CHALLENGES How to realize the subtle dual privacy requirement and 1 Maintain round optimality 2 Avoid idealized assumptions? FORMALIZING GROUP BLIND SIGNATURES... 13

24 (PRIME-ORDER) BILINEAR GROUPS G 1, G 2, G T are finite cyclic groups of prime order p, where G 1 := G 1 and G 2 := G 2. Pairing (e : G 1 G 2 G T ) : The function e must have the following properties: Bilinearity: H 1 G 1, H 2 G 2 x, y Z, we have e(h x 1, Hy 2 ) = e(h 1, H 2 ) xy. Non-degeneracy: The value e(g 1, G 2 ) 1 generates G T. The function e is efficiently computable. Type-3 [GPS08]: G 1 G 2 and no efficiently computable isomorphism between G 1 and G 2. FORMALIZING GROUP BLIND SIGNATURES... 14

25 GROTH-SAHAI PROOFS Groth-Sahai proofs [GS08]: G 1 G 2 f G T ι 1 ρ 1 ι 2 ρ 2 ι T ρ T H 1 := G 2 1 H 2 := G 2 2 F H T := G 4 T The system work by first committing to (encrypting) the witness and then producing a proof for the statement. The system can be instantiated in either: The simulation setting perfectly hiding proofs. The extraction setting perfectly sound proofs. The limitations: 1 Can only extract one-way function (i.e. G w i ) of an exponent witness w. 2 Cannot simulate and extract at the same time. FORMALIZING GROUP BLIND SIGNATURES... 15

26 GROTH-SAHAI PROOFS Useful Properties of Groth-Sahai Proofs: Independence of public terms (Also, independently observed by [Fuc11]): Example: n m m n E := e(a j, Y j ) e(x i, B i ) e(x i, Y j ) γi,j = t T, j=1 i=1 i=1 j=1 a proof Π for E is independent of t T we can transform Π into a NIZK/NIWI proof for a related equation without knowledge of the original witness. Re-randomizability of proofs [BCCKLS09]: Re-randomize the GS commitments and update the proofs the new proof is unlinkable to the old one. FORMALIZING GROUP BLIND SIGNATURES... 16

27 A NEW STRUCTURE-PRESERVING SIGNATURE SCHEME NCL is based on the CL signature scheme [CL04]: THE NCL SIGNATURE SCHEME KeyGen: Choose x, y Z p, set sk := (x, y) and pk := (X := G x 2, Y := Gy 2 ). Sign: To sign (M 1, M 2 ) G 1 G 2, return if e(m 1, G 2 ) e(g 1, M 2 ); otherwise, compute σ := ( A := G a 1, B := Ay, C := M ay 1, D := (A C)x) G 4 1. Verify: Check that A 1 G1 and e(b, G 2 ) = e(a, Y) e(c, G 2 ) = e(b, M 2 ) e(d, G 2 ) = e(a C, X) FORMALIZING GROUP BLIND SIGNATURES... 17

28 A NEW STRUCTURE-PRESERVING SIGNATURE SCHEME NCL is secure under the (interactive) DH-LRSW assumption: DEFINITION (DUAL-HIDDEN LRSW (DH-LRSW) ASSUMPTION) Given (G x 2, Gy 2 ) for x, y Z p and an oracle that on input a pair (M 1, M 2 ) G 1 G 2 outputs: if e(m 1, G 2 ) e(g 1, M 2 ). A DH-LRSW tuple ( G a 1, Gay otherwise. 1, May 1, Ax M axy ) 1 for a Zp, it is infeasible to compute a DH-LRSW tuple for (M 1, M 2 ) that was never queried to the oracle. FORMALIZING GROUP BLIND SIGNATURES... 18

29 THE BLIND SIGNATURE SCHEME [FUC09] As an example, we use the blind signature scheme by [Fuc09] based on the following automorphic signature scheme: THE AUTOMORPHIC SIGNATURE SCHEME [FUC09] Setup: Given (e, G 1, G 2, G T, G 1, G 2, p), choose F, K, T G 1. KeyGen: Choose s Z p and set pk := (S 1, S 2 ) = (G s 1, Gs 2 ). Sign: To sign (M 1, M 2 ) G 1 G 2 where e(m 1, G 2 ) = e(g 1, M 2 ), choose r, c Z p and compute: H := (K T r M 1 ) 1 x+c, R1 := G r 1, R 2 := G r 2, C 1 := F c, C 2 := G c 2. The signature is σ := (H, R 1, C 1, R 2, C 2 ) G 3 1 G2 2. Verify: Check that e(h, S 2 C 2 ) = e(k M 1, G 2 )e(t, R 2 ) e(c 1, G 2 ) = e(f, C 2 ) e(r 1, G 2 ) = e(g 1, R 2 ) FORMALIZING GROUP BLIND SIGNATURES... 19

30 THE BLIND SIGNATURE SCHEME [FUC09] The automorphic signature scheme is secure under: DEFINITION (AWFCDH ASSUMPTION) Given (G 1, G a 1, G 2) G 2 1 G 2 for a Z p, it is infeasible to output a tuple (G b 1, Gab 1, Gb 2, Gab 2 ) G 2 1 G 2 2 for an arbitrary b Zp. DEFINITION (q-adhsdh ASSUMPTION) Given (G 1, F, K, G x 1, G 2, G x 2 ) G 4 1 G 2 2 for x Zp, and q 1 tuples (A i := (K G r i 1 ) 1 x+c i, C 1,i := F c i, C 2,i := G c i 2, R 1,i := G r i 1, R 2,i := G r i 2 )q 1 i=1, where c i, r i Z p, it is infeasible to output a new tuple (A, C1, C 2, R 1, R 2 ). FORMALIZING GROUP BLIND SIGNATURES... 20

31 FISCHLIN S GENERIC CONSTRUCTION FOR BLIND SIGNATURES To get a round-optimal blind signature, Fischlin s framework [Fis06]: 1 The user sends a commitment C to the message M to the signer. 2 The signer responds with a signature σ on the commitment C. 3 The final blind signature Σ is a NIZK PoK Π of C and σ s.t. 1 σ is a valid signature on C w.r.t. pk. 2 C is a commitment to M. FORMALIZING GROUP BLIND SIGNATURES... 21

32 SIGNER-ANONYMOUS BLIND SIGNATURES In Fischlin s framework If: 1 The PoK used is re-randomizable and independent of the public terms, e.g. Groth-Sahai proofs. 2 The signature scheme has the property that all the terms involving the message in the verification equations are independent of the signature components relying on the signing key, e.g. [Fuc09]., we obtain a signer-anonymous blind signature. FORMALIZING GROUP BLIND SIGNATURES... 22

33 SIGNER-ANONYMOUS BLIND SIGNATURES Modify the Fischlin s framework as follows: 1 The user sends a commitment C to the message M. 2 The signer signs C and responds with a PoK Π of σ and pk s.t. 1 σ is a valid signature on C w.r.t. pk. 3 The user proceeds as follows: 1 Re-randomizes Π into a fresh proof Π. 2 Adds to Π a proof that C is a commitment to M. The final signer-anonymous blind signature Σ is Π. FORMALIZING GROUP BLIND SIGNATURES... 23

34 SIGNER-ANONYMOUS BLIND SIGNATURES Security: Unforgeability: As in Fischlin s framework. Blindness: As in Fischlin s framework + Re-randomizability of the PoK. Anonymity: The hiding (i.e. NIWI/NIZK) properties of the PoK. FORMALIZING GROUP BLIND SIGNATURES... 24

35 FROM A SIGNER-ANONYMOUS BS TO A GBS To extend the signer-anonymous BS to a GBS, we need: 1 A signature scheme CERT to certify members public keys when they join. Give sk CERT to the Issuer as ik. 2 Give the PoK extraction key to the Opener as ok. 3 The signer additionally needs to prove that he has a certificate on his public key w.r.t. pk CERT, i.e. that he is a member of the group. FORMALIZING GROUP BLIND SIGNATURES... 25

36 INSTANTIATIONS Instantiation I The Join Protocol: Uses the NCL signature scheme. The Signing Protocol: Based on the BS by [Fuc09] (i.e. The automorphic signature scheme + GS proofs). Assumptions: DH-LRSW, SXDH, AWFCDH and q-adhsdh. The Pros : More efficient (signature size is G G36 2 ). The Cons : Involves some interactive intractability assumptions (i.e. the DH-LRSW assumption). FORMALIZING GROUP BLIND SIGNATURES... 26

37 INSTANTIATIONS Instantiation II The Join Protocol: Uses the automorphic signature scheme [Fuc 09]. The Signing Protocol: Based on the BS by [Fuc09] (i.e. the automorphic signature scheme [Fuc09] + GS proofs). Assumptions: SXDH, AWFCDH and q-adhsdh. The Pros : Only relies on falsifiable intractability assumptions. The Cons : Less efficient (signature size is G G38 2 ). FORMALIZING GROUP BLIND SIGNATURES... 27

38 ACHIEVING FULL ANONYMITY Groth-Sahai proofs are not simulation-sound when simulating, we can no longer answer Open queries. Q: How to achieve full anonymity? A: One way is to combine Groth-Sahai proofs with an IND-CCA2 encryption scheme. The signer additionally encrypts the witness and proves that it was done correctly. When simulating, decrypt the ciphertext to recover the witness. The encryption scheme needs to be re-randomizable, e.g. maybe we could use an IND-RCCA encryption scheme. FORMALIZING GROUP BLIND SIGNATURES... 28

39 ACHIEVING FULL ANONYMITY Groth-Sahai proofs are not simulation-sound when simulating, we can no longer answer Open queries. Q: How to achieve full anonymity? A: One way is to combine Groth-Sahai proofs with an IND-CCA2 encryption scheme. The signer additionally encrypts the witness and proves that it was done correctly. When simulating, decrypt the ciphertext to recover the witness. The encryption scheme needs to be re-randomizable, e.g. maybe we could use an IND-RCCA encryption scheme. FORMALIZING GROUP BLIND SIGNATURES... 28

40 SUMMARY A formal security model for the primitive. Round-optimal constructions. The first constructions without idealized assumptions. FORMALIZING GROUP BLIND SIGNATURES... 29

41 OPEN PROBLEMS Efficient fully-anonymous instantiations. More efficient constructions without idealized assumptions. FORMALIZING GROUP BLIND SIGNATURES... 30

42 THE END Thank you for your attention! Questions? FORMALIZING GROUP BLIND SIGNATURES... 31