Forward Secure Ring Signature without Random Oracles

Transcription

1 Forward Secure Ring Signature without Random Oraces Joseph K. Liu 1, Tsz Hon Yuen 2, and Jianying Zhou 1 1 Institute for Infocomm Research, Singapore {ksiu,jyzhou}@i2r.a-star.edu.sg 2 University of Hong Kong, Hong Kong thyuen@cs.hku.hk Abstract. In this paper, we propose a forward secure ring signature scheme without random oraces. With forward security, if a secret key of a corresponding ring member is exposed, a previousy signed signatures containing this member remain vaid. Yet the one who has stoen the secret key cannot produce any vaid signature beonged to the past time period. This is especiay usefu in the case of ring signature, as the exposure of a singe secret key may resut in the invaidity of thousands or even miions ring signatures which contain that particuar user. However, most of the ring signature schemes in the iterature do not provide forward security. The ony one with this feature [14] reies on random oraces to prove the security. We are the first to construct a forward secure ring signature scheme that can be proven secure without random oraces. Our scheme can be depoyed in many appications, such as wireess sensor networks and smart grid system. 1 Introduction Ring signatures [18] aow a member of a group to sign a message on behaf of the whoe group. The verifier does not know who is the rea signer in the group. The group can be set dynamicay by the signer and no coaboration is needed between the members of the group. In traditiona pubic key cryptography, the security of a cryptosystem is guaranteed under some intractabiity assumptions if the secret key is kept away from the adversary. However, there are many ways that a secret key may be comprised in the rea word. Hackers may stea your secret key if your computer is infected with trojans, or when you use the secret key in a phishing website. Therefore, it is important to minimize the damage even if the entire secret key is ost. When the attacker has fu access to your secret key, he can sign or decrypt on behaf of the victim. The The first and third authors are supported by the EMA project SecSG- EPD090005RFPD.

2 2 Joseph K. Liu, Tsz Hon Yuen, and Jianying Zhou situation is even worse for ring signatures, since the attacker can forge a message on behaf of the whoe group. Moreover, the other members of the group may be competey unaware of such forgery, since they are unaware of being conscripted into the group. Forward security for signatures [3] was designed to the key exposure probem. A forward secure signature in the past remains secure even if the current secret key is ost. The first soution was designed by Beare and Miner [5]. The main idea is to divide the ifetime of the pubic key into T intervas, and in each time interva the same pubic key corresponds to different secret keys. A current secret key can be used to derive the secret key in the future, but not the past. Therefore, even a compromise of the current secret key does not enabe the adversary to forge signatures pertaining to the past. Forward secure ring signatures were proposed by Liu and Wong [14] to resove the key exposure probem in ring signatures. The motivation is to reduce the damage of exposure of any secret key of users in ring signature. Even if a secret key is compromised, previousy generated ring signatures remain vaid and do not need to be re-generated. They proposed the security mode and gave a concrete construction in the random orace mode. Here we first review some practica appications of forward secure ring signatures. 1.1 Appications Ad-Hoc Networks: The steadiy growing importance of portabe devices and mobie appications has spawned new types of groups of interacting parties: ad-hoc groups. The highy dynamic nature of such groups raises new chaenges for networking. Ad-hoc networks may be described as networks with minima infrastructure, acking fixed routers or stabe inks. Wireess sensor network is a kind of ad-hoc network. Such networks inherenty dea with spontaneous ad-hoc groups: a group of users who spontaneousy wish to communicate sensitive data need a suite of protocos which do not invove any trusted third party or certification of any new pubic keys. Security goas have to be considered in this new context. Ring signatures are perfecty suited to such a setting, since no setup protoco is required. Without forward security, the compromise of a user secret key in the group may resut in the invaidity of a previous ring signatures invoved with this user incuding this user in the ring. The consequence is very serious. The whoe authentication system may be suspended if ony one user secret key has been compromised. Thus

3 Forward Secure Ring Signature without Random Oraces 3 forward security is an important addition to ring signature, especiay in the appication of ad-hoc group. Smart Grid: Smart Grid [17] is a form of eectricity network utiizing modern digita technoogy. The most distinctive feature in smart grid is its two-way capabiities for data communication: Not ony the grid controer can issue commands to inteigent devices, consumers and devices can aso send data to grid controers. The abiity to access, anayze, and respond to much more precise and detaied data from a eves of the eectric grid is critica to the major benefits of the Smart Grid. As an exampe, Microsoft Hohm [16] provides a patform for consumers to upoad energy usage data, based on which a statistica report is created. The purpose is to encourage consumers to compare their energy consumption with others e.g., on the same street and thus use eectricity more efficienty. Data integrity is a necessary requirement in those appications since the comparison woud be meaningess if the data is maiciousy modified or faked. Privacy, on the other hand, is aso a significant concern: Consumers may not want to give their identity information to any third-party service providers. Ring signature is a promising soution on appications e.g., Microsoft Hohm requiring both integrity and privacy. In ring signature, a vaid signature wi convince the service provider that the data is upoaded by a consumer on a certain street, without teing who exacty the consumer is. Forwardsecurity is certainy desirabe in this situation since a compromised private key within a time period wi not have any negative impact on statistica reports generated previousy. In other words, od statistica reports woud remain vaid if forward-security is satisfied. Our Contributions. The security proofs for various cryptosystems used the random orace mode [6]. Severa papers [9, 4] showed that it is possibe to prove a cryptosystem secure in the random orace whie the actua construction is insecure when the random orace is instantiated by any rea-word hash function. Thus, it is desirabe to design cryptosystems provaby secure without requiring random oraces. In this paper, we propose the first forward-secure ring signatures without random oraces. The forward secure ring signatures proposed by Liu and Wong [14] is ony secure in the random orace mode. We prove the security under the CDH and subgroup decision probem. Reated Works. There are some ring signature schemes that do not rey on the random oraces. Xu et a. [23] described a ring signature scheme in the standard mode, but the proof is not rigorous and is apparenty fawed [7]. Chow et a. [11] proposed a ring signature scheme in the standard mode, though it is based on a strong new assumption. Bender et a.

4 4 Joseph K. Liu, Tsz Hon Yuen, and Jianying Zhou [7] gave a ring signature secure in the standard mode assuming trapdoor permutations exists. Their scheme uses generic ZAPs for NP as a buiding bock, which may not be practica. Shacham and Waters [20] presented an efficient ring signature scheme without random oraces, based on standard assumption. They rey on composite order pairing that requires a trusted setup procedure. Schäge and Schwenk [19] gave another ring signature scheme in the standard mode using basic assumption. In contrast to [20], they used prime order pairing instead. However, their security mode does not aow the adversary to query any private key. A the above schemes do not provide forward security. On the other side, the concept of forward secure signatures was first proposed by Anderson [3] for traditiona signatures. It was formaized by Beare and Miner [5]. The basic idea is to extend a standard digita signature agorithm with a key update agorithm, so that the secret key can be changed frequenty whie the pubic key stays the same. The resuting scheme is forward secure if the knowedge of the secret key at some point in time does not hep forge signatures reative to some previous time period. The chaenge is to design an efficient scheme of this concept. In particuar the size of the secret key, pubic key and signature shoud not be dependent on the number of time period during the ifetime of the pubic key. Severa schemes [2, 13, 1, 12, 15] have been proposed by traditiona signatures and threshod signatures that satisfy this efficiency property. In addition, a forward secure group signature scheme and a forward secure identity-based signature scheme are proposed in [21] and [24] respectivey. 2 Preiminaries 2.1 Pairings We make use of biinear groups of composite order. Let N be a composite number with factorization N = pq. We have: 1 G is a mutipicative cycic group of order N. 2 G p is its cycic order-p subgroup, and G q is its cycic order-q subgroup. 3 g is a generator of G, whie h is a generator of G q. 4 G T is a mutipicative group of order N. 5 e is a biinear map such that e : G G G T with the foowing properties: Biinearity: For a u, v G, and a, b Z, eu a, v b = eu, v ab. Non-degeneracy: eg, g = G T whenever g = G. Computabiity: It is efficient to compute eu, v for a u, v G.

5 Forward Secure Ring Signature without Random Oraces 5 6 G T,p and G T,q are the G T -subgroups of order p and q, respectivey. 7 The group operations on G and G T can be performed efficienty. 8 Bit strings corresponding to eements of G and of G T can be recognized efficienty. 2.2 Mathematica Assumptions Definition 1. Computationa Diffie-Heman CDH in G p. Given the tupe r, r a, r b, where r R G p, and a, b R Z p, compute and output r ab. In the composite setting one is additionay given the description of the arger group G, incuding the factorization p, q of its order N. The CDH assumption is formaized by measuring an adversary s success probabiity for computationa Diffie-Heman, that is, Adv CDH = Pr[ Adversary outputs r ab ]. Definition 2. Subgroup Decision. Given w seected at random either from G with probabiity 1/2 or from G q with probabiity 1/2, decide whether w is in G q. For this probem one is given the description of G, but not given the factorization of N. The assumption is formaized by measuring an adversary s guessing advantage for the subgroup decision probem. That is, Adv SD = Pr[ Adversary guesses correcty ] 1 2. Note that if CDH in G p is hard then so is CDH in G. The assumption that the subgroup decision probem is hard is caed Subgroup Hiding SGH assumption, and was introduced by Boneh et a [8]. 3 Security Mode 3.1 Syntax of Forward Secure Ring Signatures A forward secure ring signature FSRS scheme, is a tupe of four agorithms KeyGen, Sign, Verify and Update. sk i,0, pk i KeyGen1 λ is a PPT agorithm which, on input a security parameter λ N, outputs a private/pubic key pair sk i,0, pk i such that the private key is vaid for time t = 0. 3 We denote by SK and PK the domains of possibe secret keys and pubic keys, respectivey. 3 We denote sk i,t to be the secret key of user i at time t.

6 6 Joseph K. Liu, Tsz Hon Yuen, and Jianying Zhou sk i,t+1 Updatesk i,t, t is a PPT agorithm which, on input a private key for a certain time period t, outputs a new private key for the time period t + 1. σ t=n,y,σ Signt, n, Y, sk i,t, M is a PPT agorithm which, on input a certain time period t, group size n, a set Y of n pubic keys in PK, a secret key sk i,t whose corresponding pubic key pk i Y, and a message M, produces a signature σ t. 1/0 VerifyM, σ t, t is a deterministic agorithm which, on input a message-signature pair M,σ t and a time t returns 1 or 0 for accept or reject, resp. If accept, the message-signature pair is vaid. In some cases, we aso need to define some system parameters which might be shared by a users, ike the group G, the hash function, etc. Some parameters may be generated by a trusted authority, ike the group order N = pq whose factorization shoud not be known by any user. Therefore, we aso define this optiona agorithm: param Goba Setup1 λ is a PPT agorithm which, on input a security parameter λ N, outputs a system parameter param. If the agorithm Goba Setup exists, then the other agorithms KeyGen, Sign, Verify and Update wi take param as an additiona input. In the foowing discussion on the security mode, we omit Goba Setup and param for simpicity. We note that the security mode in [14] incudes Goba Setup which was named as Init in [14]. We beieve that this agorithm is optiona and may not be incuded. We aso observed that the Update agorithm in [14] is a deterministic agorithm. We think that the Update agorithm can be probabiistic and it is refected in our mode. Correctness. We require that 1 VerifyM, Signt, n, Y, sk i,t, M, t, where sk i,0, pk i KeyGen1 λ, pk i Y and sk i,t UpdateUpdate Updatesk i,0, 0, t 2, t 1. }{{} t Update 3.2 Forward-Security The notion of forward security is simiar to the unforgeabiity of standard ring signatures. An adversary shoud not be abe to output a signature σt = n, Y, σ for a time t and a message M such that VerifyM, σt, t = 1 uness either 1 one of the pubic keys in Y was generated by the adversary, or 2 a user whose pubic key is in Y expicity signed M previousy with respect to the same ring Y and time t.

7 Forward Secure Ring Signature without Random Oraces 7 Our mode is simiar to the unforgeabiity w.r.t. insider corruption in [7], which is the strongest security mode for unforgeabiity in [7]. Our mode adds the security reated to forward security. Forward-security for FSRS schemes is defined in the foowing game between a chaenger and an adversary A: 1. Setup. The chaenger runs KeyGen for times to obtain keypairs sk 1,0, pk 1,..., sk n,0, pk n. The chaenger gives A the set of pubic keys S = pk 1,..., pk n. 2. Query. A may adaptivey query the foowing oraces. sk i,t COpk i, t. The Corruption Orace, on input a pubic key pk i S and a time t, returns the corresponding secret key sk i,t. σ t SOt, n, Y, pk i, M. The Signing Orace, on input a time t, a group size n, a set Y of n pubic keys, a pubic key pk i Y and a message M, returns a vaid signature σ t for time t. 3. Output. A outputs a signature σ t = n, Y, σ, a time t and a message M. A wins the game if: 1 VerifyM,σt,t =1, 2 Y S, 3 for a pki Y, there is no COpki, t query with time t t and 4 there is no SOt, n, Y,, M query. We denote by Adv fs A λ the probabiity of A winning the game. Definition 3 forward-secure. An FSRS scheme is forward-secure if for a PPT adversary A, Adv fs A λ is negigibe. 3.3 Anonymity The notion of anonymity is simiar to that of standard ring signatures. Simpy speaking, an adversary shoud not be abe to te which member of a ring generated a particuar ring signature. We note that anonymity can be defined in either a computationa or an unconditiona sense where, informay, anonymity hods for poynomia-time adversaries in the former case, and it hods for a-powerfu adversaries in the atter case. For simpicity, we ony present the computationa version. In our mode, the adversary is aso the given the secret keys of a users at time 0, which impies the secret keys of a users in the a time intervas. Our mode is simiar to the anonymity against fu key exposure in [7], which is the strongest security mode for anonymity in [7]. Anonymity for FSRS schemes is defined in the foowing game between a chaenger and an adversary A:

8 8 Joseph K. Liu, Tsz Hon Yuen, and Jianying Zhou 1. Setup. The chaenger runs KeyGen for n times to obtain keypairs sk 1,0, pk 1,..., sk n,0, pk n. The chaenger gives A the set of pubic keys S = pk 1,..., pk n and the set of secret keys sk 1,0,..., sk n,0. 2. Query 1. A may query the signing orace adaptivey. 3. Chaenge. A gives the chaenger a time t, a group size n, a message M, a set Y of n pubic keys, such that two pubic keys pk i0, pk i1 S are incuded in Y. The chaenger randomy picks a bit b {0, 1} and runs σt Signt, n, Y, sk ib,t, M. The chaenger gives the signature σt to A. 4. Query 2. A may query the signing orace adaptivey. 5. Output. A returns his guess b. A wins the game if b = b. Define the advantage as Adv F S Anon A λ = Pr[A wins] 1/2 for security parameter λ. Definition 4 FS-Anonymity. A FSRS scheme is anonymous if for any PPT adversary A, Adv F S Anon A λ is negigibe. 4 Our Proposed Forward Secure Ring Signature Scheme 4.1 Intuition Our construction is motivated from [20]. We add a binary tree key structure [10] to provide forward security. We first expain the intuition of our binary tree key structure here. We use binary tree to evove the secret key. In order to represent T = 2 time periods, we use a fu binary tree with depth. We associate each time period with each eaf of tree from eft to right. The eftmost eaf node denotes time period 0 and the rightmost eaf node denotes time period T 1. At the beginning, it stores the eftmost eaf node, and the right-chid nodes 1 node starting from its parent node. That is, assume = 4, the secret key for T = 0 contains the nodes 0000, 0001, 001, 01, 1. We put the current node as the first position. When it performs the first update, as the current node is a eft-chid 0 node, we just deete the current node and move forward to its rightchid 1 node under the same parent. In the above exampe, the secret key for T = 1 contains the nodes 0001, 001, 01, 1. When it performs the next update, as the current node is a right-chid 1 node, it first finds the ast 0 node aong the path. Extract the corresponding right-chid 1 node, generate the nodes under this node

9 Forward Secure Ring Signature without Random Oraces 9 as in the beginning and deete the current node and its parent node. In the above exampe, the current node is The ast 0 node is 000. Its corresponding right-chid is 001. Thus we generate the nodes under the node 001. In this case, we just need to generate the node 0010 and Finay, the secret key for T = 2 contains the nodes 0010, 0011, 01, 1. Simiary, the next update is simpe, by just deeting 0010 and repaced by The secret key for T = 3 contains the nodes 0011, 01, 1. For the next update, find the ast 0 node, which is 00 in this case. Extract the corresponding right-chid node, which is 01. Perform another node generation process under this node 01 and deete the current node and this node. The new nodes generated are 0100, 0101, 011. Thus the secret key for T = 4 contains the nodes 0100, 0101, 011, 1. After a few updates, assume the current time period is T = 7. That is, the current node is For this update, first find the ast 0 node, which is 0. Extract the corresponding right-chid node, which is 1. Perform a node generation process under this node 1. Thus the secret key for T = 8 contains the nodes 1000, 1001, 101, 11. We hope by presenting this exampe, readers may now know the intuition and concept of our binary key structure for secret key and key update process. 4.2 Construction In our ring signature a the users keys must be defined in a group G of composite order. That group must be set up by a trusted authority, since the factorization of its order N must be kept secret. In addition to setting up the group G, the setup authority must aso set up some additiona parameters, using a goba setup agorithm we now describe. Goba Setup. Let λ, κ be a security parameter and the tota number of time periods T = 2. The setup agorithm runs the biinear group generator N = pq, G, G T, e G1 λ. Let H : {0, 1} {0, 1} κ be a coision resistant hash function. Suppose the group generator G aso gives the generators g 1, B 0, u, u 1,..., u κ, v, v 1,..., v G, h 1 G q and α Z N. Set g 2 = g α 1 and h 2 = h α 1. The pubic parameters are N, G, G T, e, g 1, g 2, B 0, h 1, h 2, u, u 1,..., u κ, v, v 1,..., v, H. Everyone can check the vaidity of g 1, g 2, h 1, h 2 using pairings. KeyGen. Choose a random s, r u0, r u1 Z N. First compute SK 0 = g2v s ru r u0 0, g 1, v ru 0 2,..., v ru 0, SK 1 = g2vv s 1 ru r u1 1, g 1, v ru 1 2,..., v ru 1.

10 10 Joseph K. Liu, Tsz Hon Yuen, and Jianying Zhou Then for k = 2 to do BEGIN Parse a 0, a 1, b k,..., b = g2v s r, g1 r, vk r,..., vr SK 0 k 1, for some r Z N, where 0 k 1 = } 0.{{.. 0}. k 1 Seect t 0, t 1 R Z N and compute SK 0 k = a 0 v t 0, a 1 g t 0 t 1, b k+1 v 0 k+1,..., b v t 0 = g2v s r 0, g r 0 1, v k+1 r 0,..., v r 0, where r 0 = r + t 0, and SK 0 k 1 1 = a 0 v t 1 v t 1 k vk r, a 1g t 1 t 1, b k+1 v 1 k+1,..., b v t 1 = g2v s r 1 v r 1 k, gr 1 1, v k+1 r 1,..., v r 1, where r 1 = r + t 1. END Set pk i = g1 s be the pubic key of user i and sk i,0 = } { SK 0, SK 1, SK 01,..., SK be the secret key of user i in time period 0. Update. On input a secret key sk i,j for user i and current time period j, if j < T the user updates the secret key as foow: 1. Let j = j 1... j be the binary representation of j and et b {0, 1} be a bit, for = 1,...,. We aso define j 0 = ɛ and b 0 = ɛ to be empty strings. Parse { SK j, {SK b0...b k 1 1} k=1 : j k =0 } sk i,j. 2. If j = 0, the new secret key is { sk i,j+1 = SK j0...j 1 1, {SK b0...b k 1 1} 1 k=1 : j k =0}.

11 Forward Secure Ring Signature without Random Oraces If j = 1, find the argest integer φ such that j φ = 0. Let c {0, 1} be a bit, for = 1,..., φ. We define c 0 = j 0 = ɛ to be an empty string and aso define c 0 = j 0 = ɛ, c 1 = j 1,..., c φ 1 = j φ 1, c φ = 1. Then for k = φ + 1 to do BEGIN Parse a 0, a 1, b k,..., b = g2 s v k 1 =1 for some r Z N. Seect t 0, t 1 R Z N and compute SK c1...c k 1 0 = = a 0 v g s 2 k 1 =1 r v c, g1 r, vk r,..., vr SK c1...c k 1, t0, v c a1 g t 0 t 1, b k+1 v 0 k+1,..., b v t 0 k 1 r0, v v c g r 0 1, v k+1 r 0,..., v r 0, =1 where r 0 = r + t 0, and k t1v SK c1...c k 1 1 = a 0 v v c r k, a 1g t 1 t 1, b k+1 v 1 k+1,..., b v t 1 = g s 2 v =1 k =1 r1, v c g r 1 1, v k+1 r 1,..., v r 1 where r 1 = r + t 1. We define a new bit c k and set c k = 0 at this stage. Note that currenty ony c 0,..., c k 1 are we defined, but not c k. We define c k in this stage, as in the next oop, k wi be increment by 1, this bit wi be used as the ast bit of the subscript notation in SK in equation1. END, 1 Return { sk i,j+1 = SK j0...j φ 1 10 φ, {SK j0...j φ 1 10 k 1} φ 1, k=0 where b is a binary string. {SK b } sk i,j : b φ 1 }.

12 12 Joseph K. Liu, Tsz Hon Yuen, and Jianying Zhou 4. Erase sk i,j. Sign. To sign a message M {0, 1} in time period j, where 0 j < T, et j = j 1... j be the binary representation of j. On behaf of a ist of distinct pubic keys Y = {pk 1,..., pk n } = {g s 1 1,..., gsn 1 }, a user with secret key sk τ,j, where τ {1,..., n} computes the foow: 1. Compute m 1,..., m κ = HY, M, j. 2. Without oss of generaity, suppose that τ is the index of the actua signer. Define f i such that f i = 1 if i = τ. Otherwise f i = 0. g s i 1 B 0 fih x i 1 and 3. For i = 1,..., n, choose x i R Z N and set C i = s g i xi 2fi 1 1 π i = B 0 h x i 1. Here the vaue π i acts as a proof that C i is we-formed. Let C = n i=1 C i and x = n i=1 x i. Then we have B 0 C = h x 1 gsτ Extract SK j sk τ,j and parse r a 0, a 1 g2 sτ v v j, g1 r for some r Z N. =1 5. Choose r, r κ R Z N and compute r κ S 1 = a 0 v v j u u m rκ h x 2, S 2 = g1 rκ S 3 = a 1 g r 1. =1 The signature σ is =1 S 1, S 2, S 3, {C i, π i } n i=1. Verify. To verify a signature σ for a message M, a ist of pubic keys Y where Y = n and the time period j, first et j = j 1... j be the binary representation of j. Then: 1. Verify that no eement is repeated in Y and output invaid otherwise. 2. Compute m 1,..., m κ = HY, M, j. 3. For i = 1,..., n, check if e C i, C i s g i 1 B 0 4. Compute C = n i=1 C i and check if: es 1, g 1 = e S 2, u κ =1 = eh 1, π i. u m e g 2, B 0 C e S 3, v Output vaid if a equaities hod. Otherwise output invaid. =1 v j.

13 Correctness: e S 2, u = e S 2, u = e g rκ = e Forward Secure Ring Signature without Random Oraces 13 κ =1 κ =1 1, u κ =1 g 1, g sτ 2 = eg 1, S 1. u m e g 2, B 0 C e S 3, v u m e g 2, h x 1g sτ 1 e S 3, v =1 =1 u m eg 2, g1 sτ eg 2, h x 1 e u κ =1 u m rκ v =1 v j v j g r +r 1, v =1 r v j +r eg 1, h x 2 v j Theorem 1. Our scheme is forward-secure against insider corruption if the CDH assumption hods in G p. Theorem 2. Our scheme is anonymous if the Subgroup Decision assumption hods in G. Detais of the security anaysis of our scheme can be found in the appendix. 4.3 Comparison We compare our scheme with some ring signature schemes in the iterature in Tabe 1. Denote the number of users in the group as n and the number of bits of the message as κ. The time of an exponentiation in a group G is exp G, and the time of a mutipication in a group G is mu G. The time of a pairing operation is pair. Note that the Schäge-Schwenk scheme [19] is the most efficient ring signature scheme in the standard mode. However, it is ony secure in the weaker chosen subring mode for unforgeabiity. The first forward secure ring signatures by Liu-Wong [14] is ony secure in random orace mode ROM. Our scheme has a sma overhead comparing with the Shacham-Waters scheme [20], whie providing the extra forward security FS property in the standard mode. 5 Concusion In this paper, we presented a forward secure ring signature scheme. Our construction is the first in the iterature that can be proven secure without

14 14 Joseph K. Liu, Tsz Hon Yuen, and Jianying Zhou Tabe 1. Comparison Scheme Signature Size Sign Time Verify Time Mode Assumption FS Shacham - 2n + 2G 3n + 2 exp G, 2n + 3 pair, Fu CDH, Subgp Waters [20] 2n + κ + 2 mu G 2n + κ + 1 mu G 1 mu GT. Schäge - n + 1G n + 2 exp G, n + 2 pair, Chosen CDH Schwenk [19] n + κ mu G. κ mu G Subring 2n + 1Z N 3n exp ZN, 3n exp ZN, n mu GT. Liu - ROM Factorization Wong [14] n mu ZN n mu ZN Our scheme 2n + 3G 3n + 4 exp G, 2n + 5 pair, Fu CDH, Subgp 4n + κ + 3 mu G. 3n + κ + 1 mu G 3 mu GT. random oraces. The security reies on the CDH and subgroup decision probem. We beieve there are a number of usefu appications of forward secure ring signature scheme, such as wireess sensor networks and smart grid system. References 1. M. Abdaa, S. Miner, and C. Namprempre. Forward-secure threshod signature schemes. In CT-RSA 2001, voume 2020 of Lecture Notes in Computer Science, pages Springer, M. Abdaa and L. Reyzin. A new forward-secure digita signature scheme. In ASIACRYPT 2000, voume 1976 of Lecture Notes in Computer Science, pages Springer, R. Anderson. Two remarks on pubic key cryptoogy. Technica Report UCAM- CL-TR-549, University of Cambridge, Computer Laboratory, Dec Reevant materia presented by the author in an invited ecture at CCS M. Beare, A. Bodyreva, and A. Paacio. An uninstantiabe random-orace-mode scheme for a hybrid-encryption probem. In EUROCRYPT 2004, voume 3027 of Lecture Notes in Computer Science, pages Springer, M. Beare and S. Miner. A forward-secure digita signature scheme. In M. J. Wiener, editor, Crypto 99, voume 1666 of Lecture Notes in Computer Science, pages Springer, M. Beare and P. Rogaway. Random oraces are practica: A paradigm for designing efficient protocos. In ACM Conference on Computer and Communications Security, pages ACM Press, A. Bender, J. Katz, and R. Morsei. Ring signatures: Stronger definitions, and constructions without random oraces. In TCC, voume 3876 of Lecture Notes in Computer Science, pages Springer, D. Boneh, E.-J. Goh, and K. Nissim. Evauating 2-dnf formuas on ciphertexts. In TCC, voume 3378 of Lecture Notes in Computer Science, pages Springer, 2005.

15 Forward Secure Ring Signature without Random Oraces R. Canetti, O. Godreich, and S. Haevi. The Random Orace Methodoogy, Revisited. In STOC, pages , R. Canetti, S. Haevi, and J. Katz. A forward-secure pubic-key encryption scheme. In EUROCRYPT 2003, voume 2656 of Lecture Notes in Computer Science, pages Springer, S. S. Chow, J. K. Liu, V. K. Wei, and T. H. Yuen. Ring signatures without random oraces. In ASIACCS 06, pages ACM Press, G. Itkis and L. Reyzin. Forward-secure signatures with optima signing and verifying. In CRYPTO 2001, voume 2139 of Lecture Notes in Computer Science, pages Springer, H. Krawczyk. Simpe forward-secure signatures from any signature scheme. In the 7th ACM Conference on Computer and Communications Security, pages ACM Press, J. K. Liu and D. S. Wong. Soutions to key exposure probem in ring signature. I. J. Network Security, 62: , T. Makin, D. Micciancio, and S. Miner. Efficient generic forward-secure signatures with an unbounded number of time periods. In EUROCRYPT 2002, voume 2332 of Lecture Notes in Computer Science, pages Springer, Microsoft. Conserve Energy, Save Money - Microsoft Hohm, N. I. of Standards and Technoogy. Nist ir 7628: Guideines for smart grid cyber security. Technica report, R. L. Rivest, A. Shamir, and Y. Tauman. How to eak a secret. In ASIACRYPT 2001, voume 2248 of Lecture Notes in Computer Science, pages Springer, S. Schäge and J. Schwenk. A cdh-based ring signature scheme with short signatures and pubic keys. In Financia Cryptography, voume 6052 of Lecture Notes in Computer Science, pages Springer, H. Shacham and B. Waters. Efficient ring signatures without random oraces. In Pubic Key Cryptography, voume 4450 of Lecture Notes in Computer Science, pages Springer, D. X. Song. Practica forward secure group signature schemes. In the 8th ACM Conference on Computer and Communications Security, pages ACM Press, B. Waters. Efficient identity-based encryption without random oraces. In EURO- CRYPT 2005, voume 3494 of Lecture Notes in Computer Science, pages Springer, J. Xu, Z. Zhang, and D. Feng. A ring signature scheme using biinear pairings. In WISA 2004, voume 3325 of Lecture Notes in Computer Science, pages Springer, J. Yu, R. Hao, F. Kong, X. Cheng, J. Fan, and Y. Chen. Forward-secure identity-based signature: Security notions and construction. Information Sciences, 1813: , Feb A Security Anaysis Theorem 3. Assume the CDH assumption hods in G p. If there is a PPT adversary A that can break the forward-security against insider corruption with non-negigibe advantage ɛ and running time t, we can construct another PPT B that can sove the CDH probem with probabiity

16 16 Joseph K. Liu, Tsz Hon Yuen, and Jianying Zhou ɛ ɛ 8T κ+1q sn 1 qc n, using time at most t + O T 2 q c + n q s t e + O T 2 q c + n q s + κ + n q s t m, where q s, q c are the numbers of SO and CO respectivey, n is the number of pubic keys A aows to have, n is the number of users incuded in the forged signature produced by A, T is the tota number of time period, κ is the number of bits the hash function H outputs, t e is the time for running an exponentiation and t m is the time for running a mutipication. Proof. Setup. The simuator B runs the biinear group generator N = pq, G, G T, e G1 λ. B is given the CDH probem instance g, g a, g b G 3 p and is asked to output g ab. B first sets an integer, µ = 4q s, and chooses an integer, κ, uniformy at random between 0 and κ. B picks x, x 1,..., x κ uniformy at random between 0 and µ 1. B randomy picks a γ Z N and sets z 1 = g pγ q. Since g G p, z 1 is in G q. Aso z1 b can be computed from g b. B randomy picks a generator h 1 G q. B randomy picks y, y 1,..., y κ, ṽ, ṽ 1,..., ṽ, α, β Z N and sets g 1 = gz 1, g 2 = g a z α 1, u = g N κ µ+x 2 g y, u 1 = g x 1 2 gy 1,..., u κ = g xκ 2 gyκ, h 2 = h α 1, B 0 = h β 1, v = g 1ṽ, v 1 = g 1 ṽ 1,..., v = g 1 ṽ. Note that eg 1, h 2 = ez 1, h α 1 = ez α 1, h 1 = eg 2, h 1, since eg, h 1 = 1. Finay, B randomy chooses a coision resistant hash function H : {0, 1} {0, 1} κ. Then B gives the pubic parameters N, G, G T, e, g 1, g 2, B 0, h 1, h 2, u, u 1,..., u k, v, v 1,..., v, H] to the adversary A. We define j be the breakin period such that A is not aowed to query CO for any pubic key incuded in Y the set of pubic keys of the forged signature output by A, whie there is no imitation for time input parameter j j. A is aowed to choose any j T. B needs to guess the breakin period j chosen by A. B randomy chooses ĵ, 1 < ĵ T, hoping that the breakin period fas at ĵ or ater, so that the forgery wi be for a time period earier than ĵ. Assume B picks τ {1,..., n } as his guess for the chaenge signer. For i = 1,..., n, B picks random s i Z N and sets: { g s i 1 if i τ, pk i = g b z1 b if i = τ.

17 Forward Secure Ring Signature without Random Oraces 17 B stores the set of pubic keys S = {pk i } n i=1 and gives them to A. For a message m = {m 1,..., m κ }, we define F m = N µκ + x + κ x i m i, Jm = y + i=1 κ y i m i. i=1 Orace Simuation. B simuates the oraces as foows: COpk i, j: If pk i / S or i = τ, B decares faiure and exits. Otherwise, B chooses random r u0, r u1 Z N, computes α = g s i 2 and SK 0 = SK 1 = αv ru r u0 0, g 1, v ru 0 2,..., v ru 0, αvv 1 ru r u1 1, g 1, v ru 1 2,..., v ru 1. Then B computes the sk i,0 as secret key for user i in the time period 0 according to the KeyGen agorithm. If j 0, B performs Update agorithm unti it gets sk i,j, the secret key for the time period j. B outputs sk i,j. SOj, n, Y, pk i, M: On input a message M, a set of n pubic keys Y = {pk i } n i =1 where Y S, and the pubic key of a signer pk i, B cacuates C i, π i according to the Sign agorithm. Note that no secret key is required to generate C i, π i. Then we have B 0 C = h x 1 gs i 1. Denote m = HY, M, j. We aso write m into κ bits {m 1,..., m κ }. If κ x + x i m i 0 mod µ, i=1 then B aborts. If i τ, B cacuates a S 1,i, S 2,i, S 3,i according to the Sign agorithm. If i = τ, B chooses random r τ, r Z N and cacuates S 1,τ = g b Jm F m u κ =1 u m rτ v =1 r, v j S 2,τ = g b z b 1 1 F m gz 1 rτ, S 3,τ = g 1 r.

18 18 Joseph K. Liu, Tsz Hon Yuen, and Jianying Zhou Let r = r τ b F m, then S 1,τ = g b Jm F m u = g b 2 = g b 2 κ =1 u m rτ v g F m 2 g Jm r τ b F m v u κ =1 u m r v =1 v j =1 r. =1 v j r v j r The simuator wi be abe to perform this computation if and ony if F m 0 mod N. For ease of anaysis the simuator wi ony continue in the sufficient condition where x + κ i=1 x im i 0 mod µ. If we have x + κ i=1 x im i 0 mod µ, this impies F m 0 mod N since we can assume N > κµ for any reasonabe vaues of N, κ, and µ. Finay, B cacuates the rest of the signature according to the Sign agorithm. Output. Assume A chooses a breakin period j ĵ. That is, the forged signature σ is vaid for time period j < ĵ. A returns n, Y, j, M, σ. Denote m = m 1,..., m κ = HY, M, j and j = j 1... j. Note that this hash vaue is different from previous m in various SO queries, since j, n, Y, M cannot be the input of previous SO queries and H is a coision resistant hash function. If κ pk τ / Y and x + x i m i µκ. then B aborts. Otherwise, WLOG, we assume that pk τ is at the position τ of the signature σ. Since σ is a vaid signature, then e C i, es1, g 1 = e S2, u C i pki B 0 κ =1 i=1 n u m e g 2, B 0 =1 C e S3, v =1 v j, 2 = eh 1, π i. 3

19 Forward Secure Ring Signature without Random Oraces 19 for i = 1,..., n. Since êh 1, πi has order q in G T, therefore either Ci or has order q from equation 3. B checks if Ci q = 0. If it is true, B 0 C i pk i then Ci has order q and then B sets f i = 0. Otherwise, B 0Ci pk i has order q and then B sets f i = 1. It foows that Ci = pk i B 0 f i z r i 1 for some unknown r i, no matter f i = 0/1. If f τ = 0, B aborts. Let Z N such that = 0 mod q and = 1 mod p. If we raise equation 2 to the -th power, then we have es1, g 1 =e S2, u κ =1 es1, gz 1 =e S2, g Jm e u u m e g 2, B 0 g a z α 1, B 0 i pk i Y C i pk i f i z r i 1 B 0 i pk i Y e S3, v =1 v j, e S3, gz 1 ṽ+ =1 ṽj, 4 es1, g =e S2, g Jm e g a, B 0 pk i f i B 0 i pk i Y e S3, gṽ+ =1 ṽj, 5 es1, g =e S2, g Jm e g a, B 0 pk τ g s i f i B 0 i pk i Y,i τ e S3, gṽ+ =1 ṽj, 6 es1, g = e S2, g Jm e g a, g b e S3, gṽ+ =1 ṽj. 7 For equation 4, note that κ j=1 u m j j = g F m 2 g Jm = g Jm, since x + κ x i m i = µκ. For equation 5, as = 0 mod q, a terms which are in G q are canceed. Thus pki fiz Ci = r i pki fi 1 =, since z 1 G q. B 0 B 0 From equation 7, we can see that S 1 = S 2 Jm g ab S 3 ṽ+ =1 ṽj. i=1

20 20 Joseph K. Liu, Tsz Hon Yuen, and Jianying Zhou Therefore B can output A = S 1 S 2 Jm S 3 ṽ+ =1 ṽj, as the soution to the CDH probem. Probabiity Anaysis. Foowing the probabiity anaysis of Waters signature [22], the probabiity of F m 0 mod N during signing orace query and x + κ i=1 x im i = µκ 1 is at east 8κ+1q s. The probabiity of not asking pk τ in the corruption orace is 1 qc n. The probabiity of f τ = 1 in the 1 output phase is n. In additiona, S aso needs to guess the breaking period correcty. The probabiity is at east 1 T. Therefore if A outputs a forged signature with probabiity ɛ, B soves the CDH probem with ɛ probabiity ɛ 8T κ+1q sn 1 qc n, where q s, q c are the numbers of SO and CO respectivey, n is the number of pubic keys A aows to have, n is the number of users incuded in the forged signature produced by A, T is the tota number of time period and κ is the number of bits the hash function H outputs. Time Anaysis. The running time is dominated by the operations of exponentiation and mutipication in the corruption orace and the signing orace. There are at most OT 2 q c exponentiations and OT 2 q c mutipications in a corruption orace queries. There at at most OT 2 n q s exponentiations and OT 2 + κ + n q s mutipications in a signing orace queries. As the tota running time for A is t, the running time for B is at most t +O T 2 q c +n q s t e +O T 2 q c +n q s +κ+n q s t m. where q s, q c are the numbers of SO and CO respectivey, n is the number of pubic keys A aows to have, t e is the time for running an exponentiation and t m is the time for running a mutipication. Theorem 4. Assume the Subgroup Decision assumption hods in G. If there is a PPT adversary A that can break the anonymity with nonnegigibe advantage ɛ and running time t, we can construct another PPT B that can sove the Subgroup Decision probem with advantage ɛ ɛ and running time at most t + OT 2 q s t e + OT 2 n q s + κ + n q s t m. where q s is the numbers of SO respectivey, n is the number of pubic keys A aows to have, T is the tota number of time period, κ is the number of bits the hash function H outputs, t e is the time for running an exponentiation and t m is the time for running a mutipication. Proof. Setup. The simuator B is given the subgroup decision probem instance N, G, G T, e, g, h. B is asked to determine whether h G or

21 Forward Secure Ring Signature without Random Oraces 21 h G q. B randomy picks the generators u, u 1,... u κ, v, v 1,..., v, B 0 G and α Z N. B sets g 1 = g, g 2 = g α 1, h 1 = h, h 2 = h α. Finay, B randomy chooses a coision resistant hash function H : {0, 1} {0, 1} κ. Then B gives the pubic parameters N, G, G T, e, g 1, g 2, B 0, h 1, h 2, u, u 1,..., u k, v, v 1,..., v, H to the adversary A. For i = 1,..., n, B generates the pubic key and secret key of each user according to the KeyGen agorithm. B stores the set of pubic keys and secret keys {pk i, sk i,0 } n i=1 and sends them to A. Orace Simuation. B simuates the SOn, j, Y, pk i, M by running the Sign agorithm honesty. Chaenge. At some point, A outputs a message M, a set of n pubic keys Y, two indexes i 0, i 1 {1,..., n} such that pk i0, pk i1 Y and a time j. B picks a random bit b {0, 1} and uses the secret keys of sk ib,j to run the Sign agorithm to obtain the signature σ. B gives σ to A. Output. A continues to query and finay outputs a bit b. If b = b, then B outputs h G q. Otherwise, B outputs h G. Anaysis. Suppose the chaenge signature is S1, S 2, S 3, {C i, π i }n i=1 and Y = {pk1,..., pk n }. If h 1 is a generator of G, there exist x i, x i Z N such that Ci = pk i B 0 h x i 1 = h x i 1. Then x i, x i correspond to the case fi = 0 or 1 respectivey. Denote by πi f i = b the vaue of πi if f i is set to b {0, 1}. Then πi fi = 0 = pk i h x i xi 1 = h x i 1 B x i = h x i 1 x i 0 = pk i 1 h x i xi 1 = πi fi = 1. B 0 Therefore {Ci, π i }n i=1 has no information about the rea signer if h G. On the other hand, S2 and S 3 are computed by random numbers ony and do not have information about the rea signer. Finay, S1 is determined by the verification equation κ n es1, g 1 = e S2, u u m e g 2, B 0 Ci e S3, v v j. =1 Hence, it eaks no usefu information about the pubic key pk ib. Therefore if A wins the game, B outputs h G q. The advantage of B is at east ɛ. The running time of B shoud be simiar to the proof of Theorem 3 and we skip here. i=1 =1